Need Advice on Php Version

I'm posting this for two reasons... one to get some advice and two to inform others that "may" run into this issue.

One of my customer's is on a dedicated server. Their Merchant Account Provider has enlisted the services of SecurityMetrics - to do security audits to all their customer's eCommerce sites. Sadly, we failed; however the failure was strictly due to the Php Version currently on the server, which in our instance is Php 5.25 - Based on their review we need to upgrade to no less than 5.29, but 5.3 is preferable. We are running the latest version of Zen-Cart - 1.3.8a with all security fixes and admin relocation.

I know that a few weeks back I saw issues in the forum regarding installs on 5.3 having major issues, but for the life of me I can't find those posts now. This cart has extensive modifications so I will be checking for threads on some of those mods also, but in general, what issues will I encounter when I upgrade to 5.3.

This is a huge site (over 64G with nearly 20G db) with very heavy traffic and large sales volume, so I need to be prepared before I make the upgrade.

Again, any advice or heads up on what to expect with core code issues is really needed here and is much appreciated in advance for the assistance.

Ruth

http://www.zen-cart.com/forum/showthread.php?t=140960

Do you think I could smoothly upgraded to 5.29? (read the posts 5.3 - thanks for the link - searching just wouldn't pull that up for me).

Ruth

Quote:

---

Do you think I could smoothly upgraded to 5.29

---

Quote:

---

We are running the latest version of Zen-Cart - 1.3.8a with all security fixes and admin relocation.

---

If you know how to install the new php version a normal ZenCart will not require any adjustment

Quote:

---

Originally Posted by kobra

If you know how to install the new php version a normal ZenCart will not require any adjustment

---

Hi there. Based on the errors I received on the scan and the fixes listed, originally it stated that if I recompiled Php to the latest stable release of 5.2.12 that it would solve all open issues. I did that and then re-ran the scan - This is so frustrating as now it is insisting on Php 5.3.2 - (why the report doesn't give you all the errors at once...is beyond me... :frusty: )

I d/l the patch you referred me to and I'm currently running tests as I did before to be sure I don't have the site down with errors.

Based on the test, the moment I attempt to put something in the cart I go to a white screen.

I'm getting the following error using error reporting -
PHP Deprecated: Function ereg() is deprecated in ...\includes\classes\db\mysql\query_factory.php on line 139.

I attempted modifying the file and made things worse, so I returned it back to the original. Can you help me out here?

I'm told that all Merchant Providers have received notification from Visa and Mastercard of these new tougher requirements... so there will be lots of folks forced to the latest release of PHP


(this is on my local Apache setup). Php is at 5.3.1 (I use XAMPP and this their most recent build - don't have 5.3.2 to test - hoping this will do - ) with MySql 5.1.

Thanks in advance for you help here.

Ruth

Quote:

---

Do you think I could smoothly upgraded to 5.29

---

ZC run best under this but as you have found out that the scans will send errors.

This might be a good read for you and there are other ways to handle php reported errors. I think you might like item 2
pass a pci compliance scan in 5 steps

Skip

Quote:

---

Originally Posted by skipwater

ZC run best under this but as you have found out that the scans will send errors.

This might be a good read for you and there are other ways to handle php reported errors. I think you might like item 2
pass a pci compliance scan in 5 steps

Skip

---

I'm not sure that will work with this particular scan co. My firewall does just that - it only allowed them to connect via http or https - and after pounding my server my firewall did a total deny on their IP. I was instructed in order to pass the scan I "had" to do a total allow in my IP tables file within my firewall application.

So truly I'm back to what is the fix for zen-cart for this release. Sooner or later we have to move to the current Php release -

I need to know what I need to do to correct this error so I can move on with the testing. I have no idea what else I'm facing, but please I really need a little help with this. My customer will lose the merchant account provider if I can't address this.

The error I listed happens just by merely adding a product to the cart, so it's core.

Ruth

I have noticed that none of the big guns have jump in here. But if you have done all the other suggestions that have been made. And you still can not get it to work.
Try this and see if it helps (it is not a real fix but it has given me a work around on a couple systems.)

Set the error reporting to E_ALL ^E_DEPRECATED where it is currently being set to E_ALL

change

Code:

---

error_reporting(E_ALL);

---

to

Code:

---

error_reporting(E_ALL ^E_DEPRECATED);

---

Skip

Thanks for your reply. I did that last night after reading posts re: osC having the same issues. The first error I had to get through was on query_factory.

You replace this line (found several times within the file)

Code:

---

if (!ereg('^[0-9]', $key)) {

---

with this:

Code:

---

if (!preg_match('/^[0-9]/', $key)) {

---

Now once I fixed that error, then I started seeing the rest and trust me there are a ton of them. I'm going to have to go file by file using error checking until I find them all. The most prominent at the moment are in the init_sanitize and in classes/temp_func.

A major patch needs to be release above and beyond what has been release to address all of this. Once I clean this all out, not sure what else I will find. Just going to take it one error at a time. This is going to take awhile...

:frusty:


Ruth

Quote:

---

Originally Posted by rwoody

A major patch needs to be release above and beyond what has been release to address all of this. Once I clean this all out, not sure what else I will find. Just going to take it one error at a time. This is going to take awhile...

---

I see back where this is a dedicated server...
You didn't poat any of the server details
Specifically the server Linux OS

There are thousands of installs and most run trouble free for the most part and do not have the issues your are experiencing with ZenCart out-of-the-box/patched for security

Quote:

---

Originally Posted by kobra

I see back where this is a dedicated server...
You didn't poat any of the server details
Specifically the server Linux OS

There are thousands of installs and most run trouble free for the most part and do not have the issues your are experiencing with ZenCart out-of-the-box/patched for security

---

Kobra, until now I would have totally agreed with you, but with the advent of Php3.X there are huge changes and Zen-Cart is not compatible. I spoke with another friend of mine today that is a high level individual with credit card security. He reminded me that he had warned these changes were coming awhile back, but at the time I wasn't sure what he meant.

Visa and MasterCard are requiring their merchant providers to have all their eCommerce customer's sites scanned. They do this quarterly so the requirements often change with each scan. They are now insisting on Php 3.2 - or the site fails. I've had this site for five years... so trust me this is a brand new requirement.

Here is the exact response from the scan -
Synopsis : The remote web server uses a version of PHP that is affected by multiple flaws. Description : According to its banner, the version of PHP installed on the remote host is older than 5.3.2

In speaking with them directly, I was informed I need to recompile the server to the latest release - Php5.3.2 (I just did a successful recompile taking the site to 5.2.12 as originally they indicated this would solve their issues;however once I ran the scan again, this new requirement popped up)


In my local test environment so far I've patched the following files in addition to adding the patched files provided in the d/l here:

classes\db\mysql\query_factory.php
includes\functions\functions_lookups.php
init_sanitize.php
template_functions.php

I still have issues with the following files I'm trying to work through.

functions_email.php
includes\classes\class.smtp.php
includes\init_includes\init_templates.php

It seems that once I solve one set of errors and work further through the site's checkout process more arise, so I'm sure these are not the end of it. Nor am I sure I can solve all the issues. I'm not a strong coder.

Ruth

Have you tried compiling to php 5.3.2 and patching with this
http://www.zen-cart.com/forum/showthread.php?t=140960

Quote:

---

Originally Posted by kobra

Have you tried compiling to php 5.3.2 and patching with this
http://www.zen-cart.com/forum/showthread.php?t=140960

---

That was the first thing that I did, but it does not go far enough to correct all the issues.

Basic Example: query_factory.php (which was not in that patch)

Line 139 - if (!ereg('^[0-9]', $key))

Correct to: if (!preg_match('/^[0-9]/', $key))

the reference in line 139 is found several times within the file and had to be edited. The other files that I listed had similar changes that were required and have been done.

Now I'm finding issues with functions_email.php and also in sessions.php- so I'm off to research those as they are not so obvious to me.

I'm doing this all in a test environment I set up locally as I did not want to recompile the production server until I knew I'd solved all the issues. I did the same thing before I recompiled to Php 5.2.12 -

The session file is really confusing me as to what the issue is there. I've made the correction needed on line 223

PHP Code:

---

if (preg_replace('/[a-zA-Z0-9]/', '', session_id()) != '') session_regenerate_id(); 


---

This took care of the first error regard ereg_replace, but it's also throwing a "headers already sent" error and there are no white spaces and the opening <?php is at the very top of the page. The exact error is:

PHP Warning: session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cache limiter - headers already sent (output started at includes\functions\sessions.php on line 215

That error was present "before" I edited the file.

Any ideas anyone?:huh:

Quote:

---

Originally Posted by rwoody

Here is the exact response from the scan -
Synopsis : The remote web server uses a version of PHP that is affected by multiple flaws. Description : According to its banner, the version of PHP installed on the remote host is older than 5.3.2

---

The Apache banner should be switched off so that the scan cannot determine the PHP version.

Regards,
Christian.

Quote:

---

Originally Posted by rwoody

That was the first thing that I did, but it does not go far enough to correct all the issues.

---

Once the PHP 5.3 patch has been applied the cart should run fine without any errors. Technically you can still use ereg() you just have to switch of the warning message which is what the patch does.

Regards,
Christian.

Quote:

---

Originally Posted by CJPinder

The Apache banner should be switched off so that the scan cannot determine the PHP version.

Regards,
Christian.

---

Where can I turn that off?

If you have the 5.3 patch installed correctly, that is what turns off the deprecation warning. I've been reading back over this thread and rather suspect that your problem is that you don't have the patch installed corrected, and are then trying to deal with each warning as though it was an error.

Quote:

---

Originally Posted by rwoody

Where can I turn that off?

---

In the httpd.conf you need to add (or edit if they are already there) the following directives...

Code:

---

[FONT=monospace]
[/FONT]ServerSignature Off[FONT=monospace]
[/FONT]ServerTokens Prod

---

...You will need to restart Apache (httpd) after making the changes.
Your also need to edit your php.ini file and set the following...

Code:

---

expose_php = Off

---

With those settings the scans will not able to determine what version of PHP you are using and they'll stop moaning about old versions.

Regards,
Christian.

Currently the settings in my http.conf are

ServerSignature Off
ServerTokens ProductOnly

So you are saying change the second line to:

ServerTokens Prod ?

Quote:

---

Originally Posted by rwoody

Currently the settings in my http.conf are

ServerSignature Off
ServerTokens ProductOnly

So you are saying change the second line to:

ServerTokens Prod ?

---

No, ServerTokens ProductOnly is fine (ProductOnly and Prod are the same). Check that you have the correct httpd.conf file though,
there may be more than one.

Regards,
Christian.

Yes I have the correct files, but I changed it anyway based on a post I read on Apache Security. and changed the ini file. I'm re-running the scan now. I finally got all the errors out of the front end, but the admin is a disaster and will take hours to clean up.

I know I've been advised here turning error reporting off does the trick, but I had white screens, until I edited a slew of files.

The admin doesn't hide the errors...it won't let me even enter the admin itself until I fix them all. Thank gosh I didn't touch production site until I verified this all in my test enviornment - I would be in a total panic. As it is, when I've got the test version error free, then I'll take the site down, recompile and build in the new changes.

I'm running the scan again with your suggestions, but up till now the bot seems to be able to get to see everything.

I had to completely pull out and rebuild the blog I had integrated in order to upgrade that to the latest release, which wasn't fun, but got it done and then recompiled to 5.2.12, as I was originally told that would satisfy them, then they sent me another failed report saying nope...gotta to to 5.3.2 -

I think I want a new job...LOL :dontgetit

I d/l the patch you referred me to and I'm currently running tests as I did before to be sure I don't have the site down with errors.

Based on the test, the moment I attempt to put something in the cart I go to a white screen.

I'm getting the following error using error reporting -
PHP Deprecated: Function ereg() is deprecated in ...\includes\classes\db\mysql\query_factory.php on line 139.

I attempted modifying the file and made things worse, so I returned it back to the original. Can you help me out here?

I'm told that all Merchant Providers have received notification from Visa and Mastercard of these new tougher requirements... so there will be lots of folks forced to the latest release of PHP

Quote:

---

Originally Posted by halkhata987

Based on the test, the moment I attempt to put something in the cart I go to a white screen.

---

Then you have a PHP error happening.

Quote:

---

Originally Posted by halkhata987

I'm getting the following error using error reporting -
PHP Deprecated: Function ereg() is deprecated in ...\includes\classes\db\mysql\query_factory.php on line 139.

---

Then you've not actually applied the PHP 5.3 patch update correctly.

Quote:

---

Originally Posted by halkhata987

I attempted modifying the file and made things worse, so I returned it back to the original. Can you help me out here?

---

There's no need to go and modify all the ereg() calls in the code. The patch takes care of suppressing the warnings, because that's all they are: warnings.

Quote:

---

Originally Posted by halkhata987

I'm told that all Merchant Providers have received notification from Visa and Mastercard of these new tougher requirements... so there will be lots of folks forced to the latest release of PHP

---

That's why the patch was released. And, of course, the next version of Zen Cart will be PHP 5.3 compatible.