PHP Website broken - help!

[markpeers]

Hi

I've had a website hosted here at EUKhost for a few years now, it runs phpwebsite CMS and has been working fine. Recently the security settings in PHP have been changed on the server to block the php function "ini_set". This has broken phpwebsite which uses this function to set the path correctly for accessing other modules.

The line of code that seems to be causing the problem is:

Code:

ini_set('include_path', '.' . PATH_SEPARATOR . PHPWS_SOURCE_DIR . 'lib/pear/');

Please can someone suggest how I get around this problem? I've seen mention of using .htaccess to set the php_value include_path but I'm not sure how to do this.

Thanks

Mark

[DavidAllen]

Quote:

Originally Posted by markpeers

Hi

I've had a website hosted here at EUKhost for a few years now, it runs phpwebsite CMS and has been working fine. Recently the security settings in PHP have been changed on the server to block the php function "ini_set". This has broken phpwebsite which uses this function to set the path correctly for accessing other modules.

The line of code that seems to be causing the problem is:

Code:

ini_set('include_path', '.' . PATH_SEPARATOR . PHPWS_SOURCE_DIR . 'lib/pear/');

Please can someone suggest how I get around this problem? I've seen mention of using .htaccess to set the php_value include_path but I'm not sure how to do this.

Thanks

Mark

Mark - I'd look to see where/how it gets the values for PHPWS_SOURCE_DIR from - I suspect that might be blank or something and that could be causing the apparent security warnings

[markpeers]

Thanks for the reply Dave.

I suspect that if the value of PHPWS_SOURCE_DIR was wrong then the website would always have had this problem. The website has been operating correctly for a couple of years and has suddenly started reporting these errors.

Cheers

Mark

[DavidAllen]

I say that cos a customer had a similar problem (I'm a reseller) and I traced his code back and it was the d/b call to the configuration table that was causing the problem (like you he had changed nothing, been working for years etc etc). His problem was cos the call to the config table was done with pconnect which has stopped being allowed. Your package could be similar or it could be related to the register_globals thing.
Regards

[eUKhost.com]

Quote:

Originally Posted by markpeers

Hi

I've had a website hosted here at EUKhost for a few years now, it runs phpwebsite CMS and has been working fine. Recently the security settings in PHP have been changed on the server to block the php function "ini_set". This has broken phpwebsite which uses this function to set the path correctly for accessing other modules.

The line of code that seems to be causing the problem is:

Code:

ini_set('include_path', '.' . PATH_SEPARATOR . PHPWS_SOURCE_DIR . 'lib/pear/');

Please can someone suggest how I get around this problem? I've seen mention of using .htaccess to set the php_value include_path but I'm not sure how to do this.

Thanks

Mark

You can open a ticket from http://support.eukhost.com and get your account moved on another server which has been reserved for insecure code. We have disabled all insecure php functions on all server excluding one which has been reserved for customers who cannot modify their code to make it secure.

[sprint66]

I have just discovered that this has just recently been done on my server, effecting many of my websites!!

This really annoys me, because I really don't think you should be doing this without notifying your customers first! You did this a while ago by changing the php version, which broke several of my websites (JXY-45017-391). In this support ticket you said you would try and notify us of any future changes, well, this has obviously not been done!

So now I have to spend my weekend applying emergency fixes to my websites. If I had been warned this was going to happen I could make the nessecary fixes before this change, then my websites don't break, and I don't look stupid.

Chris

[sprint66]

Actually I have raised a ticket to get my account moved to this different server..

[eUKhost.com]

okay. thats fine then.

let me know if you face any problems after getting moved to different server.

[sprint66]

Well its not fine, because I wish I had been notified before the change. Please please please is there any way we can be notified before changes like this are made?

[Rock]

Hi,
I apologize on behalf of our team on not notifying you regarding the changes that were done on the server recently. We have to go for security first in some cases before even notifying people regarding the changes that are meant to be done server wide. We have very little time sometimes in cases of massive attacks/hacks. We have disabled certain php functions on our servers which really cause (& have caused) havoc everywhere. I hope you understand the security concerns, it's better to have a website down for few minutes, maybe even hours than getting to see all unknown & bad stuff all over your website. I think you (or anyone else including the 1500+ clients on the same server) wouldn't like something bad happening like that.
Anyways, care would be taken that clients get a short note on such changes in the future. Thank you for your understanding.

[DPS Computing]

As a follow up sprint, I assume by moving to the unsecure server you should have less problems with the updates so hopefully they won't cause you any more problems!

[eUKhost.com]

Quote:

Originally Posted by sprint66

Well its not fine, because I wish I had been notified before the change. Please please please is there any way we can be notified before changes like this are made?

how should we find out if you are using any of the disabled functions in your webpages or not ?

We cannot email all members notifying them of the number of php functions disabled as most of them wont understand anything out of it.

[DPS Computing]

Quote:

Originally Posted by eukhost.com

how should we find out if you are using any of the disabled functions in your webpages or not ?

We cannot email all members notifying them of the number of php functions disabled as most of them wont understand anything out of it.

Yes, think of how many new tickets you would have to answer . It would probably worry many people or confuse like you said

[jc8654]

Slightly off topic, but continuing on this... Maybe a mailing list for people who know about the tech side could help? It might have also helped with the people who had issues about the lack of communication about the server migration as these people all seem to have the "tech know-how".

[steppen]

I support that idea!

[eUKhost.com]

Yeah. that seems to be a good suggestion. I am getting that designed right now and it will be emailed to all customers. Those who consider themselves as Geeks should subscribe to the list and rest who have no knowledge of what their webmasters did from them can stay away from that mailing list.

[DPS Computing]

Wohoo! I'm joining! I consider myself a geek and I'm sure it will also help me keep learning and may also provide a solution to future problems that I have due to changes made.

I think its a good idea because some of the more technically minded customers might be able to work out if an update breaks something and could mean less suport tickets and issues to deal with.

[sprint66]

Quote:

Originally Posted by eukhost.com

how should we find out if you are using any of the disabled functions in your webpages or not ?

Why would you need to?

Quote:

Originally Posted by eukhost.com

Yeah. that seems to be a good suggestion. I am getting that designed right now and it will be emailed to all customers. Those who consider themselves as Geeks should subscribe to the list and rest who have no knowledge of what their webmasters did from them can stay away from that mailing list.

Thats wonderful news!!

Quote:

Originally Posted by DPS Computing

As a follow up sprint, I assume by moving to the unsecure server you should have less problems with the updates so hopefully they won't cause you any more problems!

Not sure what you mean?

[DPS Computing]

Quote:

Originally Posted by sprint66

Not sure what you mean?

I was just saying, there are less functions disabled on the non secure server so there is less chance that you will run into a disabled function that will break your website .

[jc8654]

Glad my brain sometimes comes in useful for suggesting things! Now, if only I could get a percentage commission for every time I have a good idea like that!