Server upgrade coming - What do to with the sites

[kevin]

  Server upgrade coming - What do to with the sites ??


   I've just been informed that I'll have to upgrade all my sites back end code,  without which they won't run on the server after it's upgraded.  


  NOTE: listen to PlayBASIC BLOG #0019 for what's happening   (Should be up in a few hours)



   

[BigDan256]

Hi Kevin,
Watched the video and wanted to help out. It was a real shame when the classic DarkBASIC forum was replaced, so much content lost.
I'm preparing to do the same for about 70 websites on our server that are barely patched enough to run on php5.3 (from php3). There's no chance to replace the sites, so patching is the only way to buy time.

The jump from 5.4 to 7 shouldn't be too bad, you would have already made it past the magic_quotes and hopefully the autoglobals era of php.

Judging from the SMF 1.1.13 source, it uses mysql_* functions, which were deprecated but still available if the host just enables the extension. Or you can generally replace most calls to mysqli_* functions and constants. You can't search and replace, but you can search and hand-replace.
Eval has been removed because of security. There's a few regular expressions using the e modifier and calls to create_function that hopefully aren't too hard to replace.
A few classes just need their constructor renamed to __constructor in 2-3 files, this may just spit out warnings, but an easy fix anyway.
Then a couple of calls to the "each" function to replace.
That should buy you some time on the forum decisions at least.

This is the first time I've used this tool to collect this information: https://github.com/wapmorgan/PhpDeprecationDetector

I'll see if I can make a diff of the suggested changes.

I thought maybe I could help with a database migration script if you switch forums, just don't loose your database and upload files ;)

Thank You
Daniel

[BigDan256]

Urgh, patching the forum turned out to be a lot more work than expected.

https://gitlab.com/dgcomau/smf/-/commit/a2a8ba3a9a90376313fb181c9466ea8063b432ba

Still not finished as there's a reference to mysql_tablename.
create_function replacements were pretty hard to translate and may need more attention.
But hopefully you can use the diff to keep it running, may even be php5.4 compatible?

[kevin]

 OMG.. THANKS   a lot to unpack

- in terms of the forums, i'm not too sure what revision/patches have been thrown into it.   The plan was to use a local version and attempt to make to the corrections.  But i'm so out of the PHP loop it's not funny.. 

It was a real shame when the classic DarkBASIC forum was replaced, so much content lost.

   Yeah.. that was a real blow.  Thankfully we won't be losing the data from here..  the longer this is up the more likely it is something will break or get broken a 3rd party.   We've had a few injections over the years. 
-

[kevin]

  Well, this is going to be quite the journey (excuse the reality TV catch phrase :)

  So far i've got local copy of the forums & uwdesign and PB.com and few other tidbits sites that we also host..    Haven't been able to get the forum running locally, but i think that's more my noobie skills and thus are focusing on getting the UW site running locally to feel better about myself :)    From what i can see I'm using a bunch of deprecated approaches .. naughty me :)   -  But the site is actually running, just has a lot of visible warnings..   My local server seems to be using PHP 5.4.9,  so I must have been using a way older version on my desktop.   It was almost a decade ago :(

  looking at the forum message tables and it doesn't seem too crazy an idea to dump a static version.  So dump it some static markup state then have a display theme.  I've downloaded an update to version of the forum and will try and run that locally with their import / conversion script.    I did find on the server a previous failed attempt at this but I live in hope that a more rebust script exists. 

  The only thin in the way of dumping a static version of the forums now the file attachments,  the older files have hashed names but the newer files seem to have some processing them as if I rename them they're broken.   Which is annoying, as it'd be nice to just skim that data and spit out a static version from the database.   

[BigDan256]

Another technique you can use, which is a bit nasty, is to use the auto_prepend_file feature of php. I think I've seen this available in cpanel, and probably in virtualmin somewhere. It's just a php.ini setting.

Then you can:
re-define any removed functions, like the mysql_ ones
re-implement magic-quotes. basically a recursive call of addslashes applied to $_GET, $_POST, $_COOKIE, $_REQUEST
re-implement old $HTTP_*_VARS variables, `global $HTTP_SERVER_VARS; $HTTP_SERVER_VARS = $_SERVER`; etc.
re-implement autoglobals. Think it's basically `extract($_REQUEST);extract($_SERVER);`

Which deprecated features are you using? (Don't answer that if it exposes some security issues  ;))

Edit:
Use a good editor like vscode.
short_open_tags went through some iterations and was removed too. So with it went from '<?', '<?php', '<?=', then default to just '<?php', then to just '<?php' and '<?='
With a good editor, you can use the file search with regular expression '<\?[^p=]' to try and find all the short_open_tags and replace them with <?php. If it returns too many, you can search for '<\?$', and '<\? ' to reduce the false-positives.
A good plugin can help highlight problems. 'php intelephense' seems pretty good and not too intrusive.

[kevin]

 Awesome Dan,

Another technique you can use, which is a bit nasty, is to use the auto_prepend_file feature of php. I think I've seen this available in cpanel, and probably in virtualmin somewhere. It's just a php.ini setting.

    Thanks, i'll definitely have a look. 

Which deprecated features are you using? (Don't answer that if it exposes some security issues  Wink)

   Things like references in function calls, which I must have been a big fan back in the day, not setting the time zone..  and dumb stuff like reading from something that's not defined.   I dunno what php version I was running, but maybe the warnings are set differently now.. dunno, but it's running,  but still getting a bunch of hand slaps..  I've updated one of the mostly static sites this morning and that was enough for to ran as normal..   For UW warnings are mostly now gone, should be much the same with PB.   UW & PB are mostly database less tho..   There's these other tidbits that need to be cleaned out.   Stuff we no longer need,  Like key processing stuff for something i disscontinued years ago.   


   For editor I couldn't find the one from the desktop,  which I really liked as it's basically PB for PHP..   Which is apt as it used the same syntax highlighting control we do..  even had the same bugs.. :(  - So grabbed some shareware solution for the time  being.   It's ok, but the auto complete brackets drives me a bit nuts..

short_open_tags went through some iterations and was removed too. So with it went from '<?', '<?php', '<?=', then default to just '<?php', then to just '<?php' and '<?='

    Thankfully that's something I seem to have avoided..  one brownie point for me then !

[BigDan256]

That just sounds like you need to set error_reporting level. Probably `error_reporting(E_ALL & ~E_NOTICE & ~E_WARNING);` or just `error_reporting(0);`
Defaults for that changed over time, and there's different recommendations based on production/development. The timezone warning is just one of those new warnings.
Watch the ini_set('display_errors', 'Off'); setting for production/development too.

Possibly you have associative array references with no quotes around the strings? Old php defaulted undefined constants as string constants, now deprecated. ie. `my_array[key]` => `my_array['key']`

References should still work, it's just fussy about it. ie. you can't call the function with the reference `my_func(&$var)`, but you declare it in the function `function my_func(&$var)`. And if you're using object-oriented, there's no more benefit to `$var = &new Class();` and it'll complain about it.

Back in the day I think phpedit was the thing, but it would crash all the time :(
Found all the editors unstable until the latest generation of editors.
I used editplus for years as it was most stable, still use it for some of it's unique tools. Basically just a syntax highlighter, treats your code as text instead of trying to parse for structures. I even used it for pb, the pb editor can be a little annoying with indentation and moving past end of line.

Usually auto-brackets and template code can be turned off somewhere. vscode has alot of settings to go through, and then language specific settings when you install the right modules.

[kevin]

  Well, the  UW site / code base seem to be working as of about 10 minutes ago..   Most if not all the warnings/errors in it the code break down to undefined variables, references, accessing undefined keys in arrays and a few odd ball bits of broken code that i'm not too sure was working before. 

   some reason I was using this $ThisChr = $MyString[0]  to grab the first character,  but it doesn't seem to like this anymore..  used split int a bunch of places .. ie   //list($UserName, $DomainName) = split("@", $ThisEmail)

  So i'm happy with that and I know that types of things that will be broken in the PB version, which is older than  UW and even more fuggle.. 
     

[BigDan256]

hehe, the undefined index fun, it's easier to hide than to patch.

To patch undefined indexes pre php 7, it bloats out:
if (!isset($at)) $at = 0;
$at = (array_key_exists('at', $_GET)) ? $_GET['at'] : 0;
etc.

Post php 7 is much simpler with the null coalesce operator:
$at ??= 0;
$at = $_GET['at'] ?? 0;
//And chains out nicely:
$currency = $_GET['currency'] ?? $member['currency'] ?? $visitor['currency'] ?? 'AUD+';

Or just hide the notices:
error_reporting(... & ~E_NOTICE);


split was just an alias for explode, can't seem to find in the documentation because they removed it, but explode works in it's place.

[kevin]

  Thanks Dan,

  I just ended up wrapping stuff up into functions to hide undefined stuff away.   Yeah I'm that lazy :)



   One down>>

   https://www.underwaredesign.com/

   Made a few tweaks to the parser,  shame a lot of my tags have html embedded within the code all over the place..


   I was due to have a weekend off this weekend, but now with lockdown that's been poo poo'ed  -  None the less it's forum time. 

[BigDan256]

haha, gotta choose your battles.

Hunter region just started lockdown yesterday too. The weekend is looking promising for some free computer time.

[kevin]

   Set up a mirror of the boards on the server to play with.   I did have visions of making a static zipped version, but It's got a pretty big foot print at around 700meg and lot of legacy links are broken.    Some of the early threads were damaged / deleted by injection but not too many..  less than a hundred i'd say.    I might have the messages in some older database backups, but I doubt it. 

   Knocking up a bit of scrapping code to take a snap shot of the threads and download the attachments.



  @Dan;

    Just out of curiosity,  what are you using locally ?   I'm just using https://laragon.org/

[BigDan256]

I use the built-in php web server when I can get away with it. `php -S 127.0.0.1:8080 -t .`
I will occasionally setup a mariadb server, but I try to avoid it since I forget it's running in the background.
You can run phpmyadmin with the built-in web server too, otherwise heidisql feels pretty nice for database management.

I remember using server2go back in the day, was handy for taking it to uni and fiddling in the breaks. Very self-contained.

Laragon looks interesting. It says it's self-contained in a folder? Think I'll try that one.
I have a few php versions installed so I can switch between them, but Laragon would be handy for controlling databases.

Frameworks like laravel have docker containers, but I find that a huge pain and resource kill. Plus they seem to be designed to cover up some design flaws.

Looks like you already have subdomains for localhost.underwaredesign.com and localhost.playbasic.com.
This is handy if you use a proper web server locally, no messing around with the hosts file.

[kevin]