Hypothetically, if a client wanted you to build a Drupal site (complexity of say, 2, where 10 is economist.com) and they insisted on a specific host -- and this host only supports php4, what would you tell them? So far I've got, -Core will work but many contribs will not (filefield, date, ubercart, etc) -Prepare for added development time that you wouldn't have to otherwise pay for -??? What would you say, hypothetically? Any official stance on php4 from d.o? Thanks, -D
On Mon, Jun 14, 2010 at 11:09 AM, Domenic Santangelo <domenics@gmail.com> wrote:
and they insisted on a specific host -- and this host only supports php4, what would you tell them?
"I'm sorry, we're not available for that project at this time. Good luck." All the Best, Matt
PHP4 is end of life. End of story. Damien On Mon, Jun 14, 2010 at 8:09 PM, Domenic Santangelo <domenics@gmail.com> wrote:
Hypothetically, if a client wanted you to build a Drupal site (complexity of say, 2, where 10 is economist.com) and they insisted on a specific host -- and this host only supports php4, what would you tell them? So far I've got,
-Core will work but many contribs will not (filefield, date, ubercart, etc) -Prepare for added development time that you wouldn't have to otherwise pay for -???
What would you say, hypothetically? Any official stance on php4 from d.o?
Thanks, -D
Official position: Drupal 6 core runs on PHP 4. Contribs are at their discretion to decide what they support. Drupal 7 and its contribs will require PHP 5.2 or higher. My personal position: The host in question will likely be deservedly out of business soon. Seriously, PHP 5 is not hard to support. It's been 3 years since the developer community officially abandoned PHP 4 and 2 since the PHP internals team did so. PHP 4 is getting no security updates whatsoever, and there are known, documented security holes in it that will not be addressed. If your client is too cheap to get a host that pays attention to the past 6 years and at least pretends to care about security, then frankly I'd question if they're too cheap to pay you for the work. It's not like cheap PHP 5 hosts are hard to find. --Larry Garfield On 6/14/10 1:09 PM, Domenic Santangelo wrote:
Hypothetically, if a client wanted you to build a Drupal site (complexity of say, 2, where 10 is economist.com) and they insisted on a specific host -- and this host only supports php4, what would you tell them? So far I've got,
-Core will work but many contribs will not (filefield, date, ubercart, etc) -Prepare for added development time that you wouldn't have to otherwise pay for -???
What would you say, hypothetically? Any official stance on php4 from d.o?
Thanks, -D
On 14/06/10 20:09, Domenic Santangelo wrote:
and they insisted on a specific host -- and this host only supports php4, what would you tell them?
A host that only supports PHP4 is absolutely bound to have other issues. Assuming I really wanted to build this site for them I start asking very specific questions about this hosting environment to find the other pitfalls first. By the end I guess you'd have convinced them it's not the best host. Cheers,
Official position from php.net: http://www.php.net/releases/4_4_9.php, http://www.php.net/ChangeLog-4.php#4.4.9. In other words, any security vulnerabilities discovered in PHP4 in the last 22 months have not been fixed and will not be fixed. As others have said, a web hosting company that considers this to be acceptable is untrustworthy to do business with. Domenic Santangelo wrote:
Hypothetically, if a client wanted you to build a Drupal site (complexity of say, 2, where 10 is economist.com) and they insisted on a specific host -- and this host only supports php4, what would you tell them? So far I've got,
-Core will work but many contribs will not (filefield, date, ubercart, etc) -Prepare for added development time that you wouldn't have to otherwise pay for -???
What would you say, hypothetically? Any official stance on php4 from d.o?
Thanks, -D
It's worth confirming that the host does not support PHP5. In some cases, a host may support multiple versions, and clients like that one may be using PHP4 for legacy reasons, so simply checking what that site is using may not be the full answer. If PHP5 is simply not available then, yeah, what everyone else said. Allie
On Jun 14, 2010, at 11:29 AM, Allie Micka wrote:
It's worth confirming that the host does not support PHP5. In some cases, a host may support multiple versions, and clients like that one may be using PHP4 for legacy reasons, so simply checking what that site is using may not be the full answer.
Thanks for all the input, folks, it was helpful in talking to that theoretical client. As it turns out the host *did* support php5 but was sidestepping the issue because they (theoretical client) had been on an old php4 server and the host wasn't too keen on migrating. But they did migrate, and now everything's well. Theoretically. -D
And therein lies the big reason. As a professional developer, if a client insists on running a server with PHP4 then they are presented with a disclaimer in the contract stating that the security of their site/application can not be guaranteed do to the insecurity and lack of support for PHP4. I started doing that right after the PHP4 EOL and have only used it once since then. I have had a couple of other clients that were on PHP4. One was on a self managed host and it was much cheaper for them to let me update their server to PHP5 and the other changed hosting providers. Actually from talking to that client, I think they were looking for a reason to switch hosting companies and I gave it to them. Jamie Holly http://www.intoxination.net http://www.hollyit.net On 6/14/2010 2:24 PM, Alex Bronstein wrote:
Official position from php.net: http://www.php.net/releases/4_4_9.php, http://www.php.net/ChangeLog-4.php#4.4.9.
In other words, any security vulnerabilities discovered in PHP4 in the last 22 months have not been fixed and will not be fixed. As others have said, a web hosting company that considers this to be acceptable is untrustworthy to do business with.
Perhaps the best argument is this: Going with PHP4 will very likely end up costing you more in the long run, what with unanticipated incompatibility of contributed modules to potential security flaws in PHP4 itself. It is likely more cost effective to go with a host, even a more expensive host, that does support php5. Laura On Jun 14, 2010, at 12:09 PM, Domenic Santangelo wrote:
Hypothetically, if a client wanted you to build a Drupal site (complexity of say, 2, where 10 is economist.com) and they insisted on a specific host -- and this host only supports php4, what would you tell them? So far I've got,
-Core will work but many contribs will not (filefield, date, ubercart, etc) -Prepare for added development time that you wouldn't have to otherwise pay for -???
What would you say, hypothetically? Any official stance on php4 from d.o?
Thanks, -D
In addition to all the other rationales already posted, consider this if this project involves any kind of eCommerce... If you develop a web site that does credit card transactions and it is found to be in violation of PCI industry standards for security, liability in the event of identity theft can be so high that it could bankrupt a business or end a business career. Lawyers have a way of "casting a wide net" when looking for pockets to dip into when a breach like this occurs. Saying "But my host only supports PHP4" is no more effective than the old "The dog ate my homework" excuse. IOW, think of your own liability here in addition to your prospective client's. Some projects are too risky to do no matter how much you want or need the business. --Sohodojo Jim--
On Jun 14, 2010, at 12:09 PM, Domenic Santangelo wrote:
Hypothetically, if a client wanted you to build a Drupal site (complexity of say, 2, where 10 is economist.com) and they insisted on a specific host -- and this host only supports php4, what would you tell them? So far I've got,
-Core will work but many contribs will not (filefield, date, ubercart, etc) -Prepare for added development time that you wouldn't have to otherwise pay for -???
What would you say, hypothetically? Any official stance on php4 from d.o?
Thanks, -D
On 06/14/2010 11:09 AM, Domenic Santangelo wrote:
they insisted on a specific host -- and this host only supports php4, what would you tell them?
I'd ask what problem they're trying to solve by insisting on this particular host and try to help them come to a more reasonable solution. Cheers, Paul
On 2010-06-14, at 2:09 PM, Domenic Santangelo wrote:
and they insisted on a specific host -- and this host only supports php4
If PHP4 only is actually the case and this is a general hosting company, I'd like to know the name so I can stay far, far away from them. Any decent hosting provider should let you choose PHP4 or PHP5 on a per-vhost basis. --Andrew
participants (13)
-
Alex Bronstein -
Allie Micka -
Andrew Berry -
Ben DJ -
Damien Tournoud -
Domenic Santangelo -
ekes -
Jamie Holly -
larry@garfieldtech.com -
Laura -
Matt Chapman -
Paul -
Sohodojo Jim