Trouble installing php5


#1

hi
hope some can help me out, newbie at this but desperatly need advice…
i need for some rssfeeds to get url file access etc wich is disabled as default by dreamhost one solution support told me was to install my own php5.

i tried following wiki, is this all i should do?

Install/Compile PHP 5

  1. Copy the PHP5_installscript into a text editor and replace YOUR DOMAIN HERE on the 4th line with your site’s domain name. MAKE SURE YOU USE THE SAME CASE THAT APPEARS IN THE DIRECTORY LISTING (UPPER or lower).
  2. Copy the new contents to your clipboard.
  3. Log in to your account using SSH
  4. Create a new file in your SSH by entering the command:

vim installscript

  1. Hit i for insert mode, then right-click to paste your clipboard (the install script) contents, then hit Esc, type :wq (that’s ‘colon’, ‘w’, ‘q’), and press Enter to save and exit.
  2. Make the file executable by entering the command:

chmod +x installscript

  1. Run the script by entering the command:

./installscript

  1. After it has finished you will need to edit your htaccess file appropriately. Add the following:

AddHandler phpFive .php
Action phpFive /cgi-bin/php.cgi

to a file called .htaccess and place it in the root folder of your domain you specified above (/home/YOUR USERNAME/YOUR DOMAIN HERE/.htaccess)


the domain is http://www.annonstoppen.com/
i after installation uploaded a testfile with rssfeed but cant even webbrowse to it? doesnt seem to be there even though i ftp:ed it to that catalog…

i made a new .htaccess file with the 2 added lines wiki tells me about and ftp.ed it to root too but nothing helps…
anthing i must do with the domain itself in the Domain Management in my dreamhost panel?
any ideas overall what to do?


#2

I cannot honestly recommend that you reconfigure PHP to set allow_url_fopen to “on” to facilitate the retrieval and subsequent display of an rss feed.

To me the much preferable solution is to either modify your rss feed program to use cURL, or use a more modern rss feed program that does not rely upon allow_url_fopen, for handling your feeds.

There are several out there for you to choose from. I have had good success with magpierss and simplepie.

–rlparker


#3

thanx

but i have one software hyprVRE that i cannot change code in and there are sevral bought scripts i cannot change in either.
a-i would rather not change hosting again because it seems to much work and risk of loosing stuff on the way i suppose…
b-support told me this could be one way

are there any negative sides to this?
will i destroy older phpscripts allready installed on same domain?

also on Manage Domains in dreamhost panel should i choose domain to run php5 here or doesnt it matter because the new installed php5 will override this setting?

also the directory i see in putty hasnt got same files as the dir i see in ftpclient that is suppose to show exactlly same files??
putty:
[hupmobile]$ ls
Maildir installscript logs php5 www.annonstoppen.com

ftp:
index.php (the one i ftped up and want to test rssfeedoutput from…)
.htaccess (also ftped up with 2 lines as described in wiki)

please someone help?


#4

Support is correct that this is “one way” to deal with your situation (I just don’t think it is the best, or even a “good”, way to do it). There are “negative sides” to doing this. In addition to the difficulty of doing it successfully in the first place (many seem to find this difficult to do), you will then be running PHP with allow_url_fopen “on”, and that is a security risk. This is explained in the link that I provided in my first response. Also you should understand that DH technical support will not support you in doing this, so if you bork it you will be “on your own” as far as DreamHost is concerned.

You won’t destroy the scripts, but depending upon how you configure your custom PHP installation, and the requirements of the other scripts you are running, you could introduce incompatibilities which could prevent other scripts from running.

If all those scripts are running fine as it is under DreamHost’s default PHP5, and if all you change is the allow_url_fopen setting, then you should not have any problems in that regard.

If you install your custom PHP5 correctly and set it up to process all your scripts, then it doesn’t make any difference how you have PHP “set” in the Control Panel.

You are looking at two different directories. Putty logs you in to your user directory (/home/hupmobile) and your FTP client is logging you into you "domain’s base directory (/home/hupmobile/www.annonstoppen.com. If you view the same directory with the ls command from the shell as you are viewing from your FTP client, you should see the same contents.

If you are only trying to set allow_url_fopen to “on”, there is no need to compile and install your own PHP (though, again, I recommend that you do not do this). You can make that setting without going through all of that by using a copy of the default DreamHost PHP with your own custom php.ini file (and that file is where you can change the setting to turn allow_url_fopen “on”) as described in the following wiki pages:

http://wiki.dreamhost.com/PHP.ini
http://wiki.dreamhost.com/Custom_PHP.ini

Most find this to be much easier than installing your own PHP, but, even though it is allowed, it also is not supported by DreamHost, so my prior warning about being “on your own” also applies here.

Finally, one last time: I do not recommend that you enable allow_url_fopen for use with scripts on your shared server. This function, and other related, functions were disabled by DreamHost for good reason. If not used correctly, they introduce certain security risks and can be exploited (and they often are).

If you cannot “modify” scripts that you are running (either because you do not have the knowledge or because of commercial encrypted code), this is especially true because you do not know how safe that code really is.

–rlparker


#5

Has anyone recently explained WHY this is a seriously bad idea and how much we DON’T want it enabled on a server we share?

Maybe then the right solution as compared to the “sort of quick” solution will be chosen.

Wholly - Use promo code WhollyMindless for full 97$ credit. Let me know if you want something else!


#6

Well, I’ll grant that a discussion about allow_url_fopen could evolve into something of a “Holy War”, with some of the PHP community maintaining that it is needlessly risky to use when “safer” alternatives exist and others maintaining that it should not be considered risky “in and of itself” if it is used properly.

There is a lot of information about this in various places on the web. A few examples are below:

http://phpsec.org/projects/phpsecinfo/tests/allow_url_fopen.html
http://www.owasp.org/index.php/File_System#Includes_and_Remote_files
http://safari.oreilly.com/059600656X/phpsec-CHP-6-SECT-2
http://osdir.com/ml/security.web-applications/2005-12/msg00120.html
http://technosailor.com/lessons-in-web-security-php-and-remote-file-execution/

There is also an example of a potential exploit on our own DreamHost wiki page on the subject: http://wiki.dreamhost.com/Allow_url_fopen#Example_exploitation

This begs the obvious question: “If allow_url_fopen is so potentially dangerous, why does DreamHost even allow us to implement a work-around to enable it on a shared server?”

While I can’t answer for DreamHost, my sense of it is that DreamHost wants to facilitate us in every reasonable way, and it is possible to use allow_url_fopen safely if a programmer is sufficiently sophisticated, conscious of the hazards involved, and not just too lazy to “do it right”.

By making it “less than trivial” to enable allow_url_fopen on DreamHost shared servers, they have introduced something of a “barrier to entry” that might result in only those who “know what they are doing” re-enabling the functions.

Frankly, I worry that the wiki’s instructions go too far in removing that barrier and that the result might be that users who do not “know what they are doing” might enable the functions for use with insufficienty robust, or hardened, code resulting in exploited/compromised servers.

I do not want it enabled on a server that I share with others so badly that I almost wish there were not the “workarounds” out there that allow “almost anyone” to enable it. I say “almost wish” because I really do like the fact that we can tweak our environments as necessary - I just worry that someone who shares my server will do something stupid with their configuration and I’ll also suffer as a result.

The problem is that, for most who are asking about such things here, they do not understand the problem and/or do not have the expertise (or interest) to inspect/modify any code they might be running to make sure it is properly hardened- they just want to “run it”. I think that is a pretty safe assessment because a programmer would not be asking the question in the first place - the error message clearly indicates the problem, and the wiki (or general knowledge of PHP) is all that is needed to apply the “fix”.

There is so much code out there, of varying degrees of quality, it is not really reasonable to assume a DreamHost user on a shared server can or will ensure they are only running appropriately hardened code.

I’m suspicious of any code that requires the use of those functions today because:

  1. cURL has been around a long time and is not that hard to use, and is a much better solution

  2. The continued use of allow_url_fopen ,when writing scripts you expect will be run be others in different hosting environments than your own, could be due to either laziness, or ignorance, considering that many other hosts also disable it.

  3. If “laziness” is the reason, it is unlikely that the programmer has gone to the extra trouble of filtering the input sufficiently.

  4. If ignorance of common exploits and the state of common PHP hosting environments is the reason, it is likely the programmer has not kept up with the “standard of coding” required to provide “safe” applications for today’s web.

To me the “bottom line” is that DreamHost has done the “right thing” with this, and that it shouldn’t be changed except by those who are capable of identifying such risks in others’ code, skilled in employing hardening techniques to mitigate those risks, and industrious enough to do both.

–rlparker


#7

ok thanx for great info guys.

just strange how many hostings seems to allow url file access and not usin curl…and the scripts using the first of them…

so changing the php.ini doesnt require installing own version of php5 then?

ok if i have installed own version of php5 how can i undo it in simpliest way?

regards
regards


#8

That is correct, it does not.

Just delete the files created by the install, and remove the handler information from your .htaccess file(s).

On the other hand, if you have already installed it successfully, I see no reason not to use it. :wink:

–rlparker


#9

hmm and if i just for curiosity wanted to know how to make the php.ini change to allow url file access how is that done =) ?


#10

As I explained in my previous post in this thread:

" You can make that setting … by using a copy of the default DreamHost PHP with your own custom php.ini file (and that file is where you can change the setting to turn allow_url_fopen “on”) as described in the following wiki pages:

http://wiki.dreamhost.com/PHP.ini
http://wiki.dreamhost.com/Custom_PHP.ini"

I’m concerned that you are asking this question, given our previous discussion. If you have already installed a custom PHP5, and configured it to set allow_url_fopen to “on”, you have acheived your goal. Why would you now want to go the other route?

–rlparker


#11

hi thanx
yes i got confused about the “using a copy of the default framhost php…” that i thought meant installing my own php5 according to the wiki…
maybe its my rusty english the made it…think so.
ok so i only have to change php.ini thats good news! i did look at wiki on that info but didnt find exact what to put inj the file regarding setting allow_url_fopen “on” and i am a newbie to this so…
i did try to install own php5 according to wiki and thought it did ok but i couldnt have because puttys dir and ftps dir didnt match at all…

i am stuck here sorry…

regards

As I explained in my previous post in this thread:

" You can make that setting … by using a copy of the default DreamHost PHP with your own custom php.ini file (and that file is where you can change the setting to turn allow_url_fopen “on”) as described in the following wiki pages:


http://wiki.dreamhost.com/Custom_PHP.ini"

I’m concerned that you are asking this question, given our previous discussion. If you have already installed a custom PHP5, and configured it to set allow_url_fopen to “on”, you have acheived your goal. Why would you now want to go the other route?

–rlparker