# Php5?



## Deleted member 2077 (May 7, 2012)

I have a web app that requires "PHP 5+", but the 3 php5x ports in /usr/ports/lang are all deprecated/broken, etc.  I tried php5, php52 and php53 (see output below).  The author of the webapp says php4 won't work.  Any ideas?

I'm not to familiar with this, but isn't php a fairly mainstream and common port?  Seems strange that it's not working.  My port tree was updated right before I tried installing them.


```
[root]# cd ../php5
[root]# make
===>  php5-5.3.11 has known vulnerabilities:
Affected package: php5-5.3.11
Type of problem: php -- vulnerability in certain CGI-based setups.
Reference: http://portaudit.FreeBSD.org/60de13d5-95f0-11e1-806a-001143cd36d8.html
=> Please update your ports tree and try again.
*** Error code 1

Stop in /usr/ports/lang/php5.
*** Error code 1

Stop in /usr/ports/lang/php5.
[root]# cd ../php52
[root]# make
===>   NOTICE:

This port is deprecated; you may wish to reconsider installing it:

PHP 5.2 series is strongly discouraged for new  installations, migrate now.

It is scheduled to be removed on or after 2013-03-01.

===>  php52-5.2.17_8 has known vulnerabilities:
Affected package: php52-5.2.17_8
Type of problem: php -- NULL byte poisoning.
Reference: http://portaudit.FreeBSD.org/3761df02-0f9c-11e0-becc-0022156e8794.html
=> Please update your ports tree and try again.
*** Error code 1

Stop in /usr/ports/lang/php52.
*** Error code 1

Stop in /usr/ports/lang/php52.
[root]# cd ..
[root]# cd php53
[root]# make
===>  php5-5.3.11 not usable until php5.4.x is in lang/php5.
*** Error code 1

Stop in /usr/ports/lang/php53.
```


----------



## kpa (May 7, 2012)

http://forums.freebsd.org/showthread.php?t=31798, lang/php5 version 5.3.12 with a fix for the vulnerability is not out yet. If you use fastcgi you shouldn't need to worry about the security vulnerabilty, as far as I understand it's limited to cases where a PHP program is used as an old style CGI script.


----------



## Deleted member 2077 (May 7, 2012)

kpa said:
			
		

> http://forums.freebsd.org/showthread.php?t=31798, lang/php5 version 5.3.12 with a fix for the vulnerability is not out yet. If you use fastcgi you shouldn't need to worry about the security vulnerabilty, as far as I understand it's limited to cases where a PHP  program is used as an old style CGI script.



Thanks.  Is there a way to get lang/php5 to build (securely) with fast cgi disabled?  I unchecked 
	
	



```
[ ] CGI        Build CGI version
```
 in the *make config*, but it still fails to build.


----------



## ondra_knezour (May 7, 2012)

feralape said:
			
		

> ```
> # cd ../php5
> # make
> ===>  php5-5.3.11 has known vulnerabilities:
> ...



If you are sure you are not affected with this vulnerability, use
`# make -DDISABLE_VULNERABILITIES install`


----------



## kpa (May 7, 2012)

If you're not going to use fastcgi nor cgi then how are you going to call your PHP program?  Fastcgi should be safe to use for now.


----------



## Zare (May 7, 2012)

Apache module, or from CLI...


----------

