CyberSite.net Knowledge Base
Differences between Legacy & Refreshed PHP Platforms • Article 362


Summary
As part of our platform refresh for PHP5, we have made several important changes that developers need to be aware of. These changes were made to increase security, help mitigate spam, and bring our platform up to the current standards for PHP web hosting. These changes are summarized in the table below.

Legacy PHP4/PHP5 New PHP5
REMOTE_ROOT set to server directory REMOTE_ROOT set to customer directory
REMOTE_ADDR set to load-balancer IP REMOTE_ADDR set to remote IP
Default Charset Latin1 Default Charset UTF-8
Register Globals On Register Globals Off
Files owned by Apache user www-data Files owned by user
Old rewrite rules New rewrite introduced by Apache
dlopen() allowed dlopen() not allowed
Remote includes allowed Remote includes not allowed
mail() –f switch required mail() return-path as user

DOCUMENT_ROOT
Previously, DOCUMENT_ROOT did not accurately reflect the web root and had to be fixed in code. This is no longer the case. 

$_SERVER["DOCUMENT_ROOT"] now accurately reflects the customer root directory.

Any code that was altered to work around these issues previously will continue to work after the transition.

REMOTE_ADDR
Previously, REMOTE_ADDR did not accurately reflect the visitor’s IP and had to be fixed in code by changing the variable to HTTP_X_CLUSTER_CLIENT_IP. This is no longer the case.

$_SERVER["REMOTE_ADDR"] now accurately reflects the remote IP.

Any code that was altered to work around these issues previously will continue to work after the transition.

Default Charset
On our refreshed PHP5 platform, the default character set is UTF-8. Going forward, we will continue to use this as a default for our hosting platforms. This allows for easier internationalization of applications. There are two ways to migrate a Latin1/ISO-8859-1 site to UTF-8. The simplest and most transparent way is to change the default charset back to ISO-8859-1 using .htaccess.

Adding the snippet to .htaccess will accomplish this:

# Set the default charset to ISO-8859-1
AddDefaultCharset ISO-8859-1

This solution is most applicable to off-the shelf commercial applications which are not natively multibyte aware.

The other way to do this would be to convert database values from ISO-8859-1 and re-import them. Once databases have been converted and re-imported, the application itself must be modified to be aware of multibyte strings.

For example, functions like “strlen()” are not multibyte aware, and should be replace with the appropriate mb_ functions (“mb_strlen()”, in this case). 

PHP has a feature to automatically overload all standard string functions with multibyte aware functions.  This is the “mbstring.func_overload” configuration value, and it can be set in .htaccess with a line like the following:

# Overload standard string functions
php_value mbstring.func_overload 4

The various values for mbstring.func_overload are summarized below:

mbstring.func_overload original function overloaded function
1 mail mb_send_mail
2 strlen mb_strlen
2 strpos mb_strpos
2 strrpos mb_strrpos
2 substr mb_substr
2 strtolower mb_strtolower
2 strtoupper mb_strtoupper
2 substr_count mb_substr_count
4 ereg mb_ereg
4 eregi mb_eregi
4 ereg_replace mb_ereg_replace
4 eregi_replace mb_eregi_replace
4 split mb_split

In addition, the default encoding type must be set to match the encoding type specified by Apache.  The following .htaccess snippet will do this:

php_value mbstring.internal_encoding UTF-8

Once these changes have been made, the database converted from ISO-8859-1 to UTF-8, and all string literals in PHP code have been changed to UTF-8, the application will have become aware of international character sets.

Register Globals
The PHP team has deprecated this variable and fully removed it in their new PHP builds.  Our refreshed PHP5 platform has register globals disabled, and it cannot be enabled from .htaccess. The following URL discusses the security issues associated with register_globals.

http://us3.php.net/register_globals

To migrate a site using register_globals to the new PHP5 platform, any GET/POST variables that are referenced from the code must be replaced with the corresponding $_REQUEST (or $_GET/$_POST superglobals) value. 

File ownership
This is probably the most asked for feature at Mosso.  Files uploaded via a web application will now be owned by your user instead of www-data. The files will be viewable and modifiable via SFTP/FTP and owned by the site user, rather than being owned by the Apache user. No changes need to be made in code to enable this feature.

Rewrite rules
As part of our platform refresh, we are moving from Apache 1.3 to Apache 2.2. Most features and functionality of Apache are the same between versions. However, changes to Apache’s mod_rewrite may impact your application. In Apache 1.3, URLs passed to mod_rewrite do not have the leading forward slash. URLs that used to look like “/login.php” now get passed to mod_rewite as “login.php”. Consequently, rewrite rules that specify a leading forward slash like the following will no longer work:

rewrite ^/login.php new_login.php

These need to be re-written as:

rewrite ^login.php new_login.php

An easier way to rewrite these is to write them such that they work on either platform by making the leading forward slash optional. This is illustrated below:

rewrite ^/?login.php new_login.php

dlopen()
In the past, we allowed binary php modules to be loaded using the php dlopen() function. This is no longer the case. Any binary php modules must be installed by our system operations team. Should you find a binary module that you require, please let a member of support team know. Upon testing, we will determine whether we can install it on our new PHP5 cluster.

Remote includes
PHP’s include() function can take remote URLs as a parameter.  This can allow for code injection attacks, particularly when register_globals is on.  The following Wikipedia article discusses this in more detail:

http://en.wikipedia.org/wiki/Remote_File_Inclusion

From a migration standpoint, all includes that are http includes (for example, include("http://mysite.com/include.php")), must be changed to local file paths.

The following code snippet illustrates this:

include("{$_SERVER['DOCUMENT_ROOT']/include.php")

php mail() Return-Path
The previous use of “php_value mail.force_extra_paremeters –f” in the .htaccess file will no longer work on our PHP5 platform refresh. Mail will still send properly on our new PHP5 platform and the return path can be forced by hard coding the -f switch in your mail call. So it’s important to recognize that if you have used the –f switch function in the past, moving to the new platform will have no negative effects on your code.


BACK TO KNOWLEDGE BASE TABLE OF CONTENTS

HOME | MARKETING | CREATIVE | DEVELOPMENT | MANAGEMENT | PORTFOLIO | PRODUCTS | HOSTING | CLIENT SERVICES | ABOUT CSN | SUPPORT | KNOWLEDGE | LEGAL & PRIVACY | SITE MAP

Copyright 2011 CyberSite.net, a subsidiary of Group One Communications, Inc., All rights reserved worldwide.
Please review our Terms, Conditions, Policies, Procedures, Terms of Use and Service.