Monday, March 21, 2016

Threat of a lack of maintenance in regard to PHP, and MySQL code on existing websites

I've a few clients who outsourced their initial site builds to companies in India. The developers used teams of people who used 2001 best practices to build these sites circa 2009. The sites are mostly on shared hosting, a few on managed hosting, but here it the thing: while I'm working on the sites to upgrade their code it occurred to me that there are likely thousands of PHP websites running the old MySQL database connectors on shared hosting and some managed hosting plans at various hosts and nobody knows about the underlying issue at hand.

From a security standpoint, anything that prints an error on a website or webpage that allows an attacker to see the directory structure of the server can provide information to help them better improve their attacks and scans for vulnerabilities.

According to the PHP documentation, these database connectors are deprecated as of PHP 5.5



Since functions like mysql_connect, mysql_query, and the like have been deprecated, any websites using these functions need to be brought relatively current with updated code using something like PDO (PHP Data Objects) database connectors and classes. What will happen is any webserver that is upgraded by a host who is hosting sites using this older code will ultimately break all of the database connections. Since a large percentage of websites pull all of their content from the database, this will be a major issue. The database connections won't work, so depending on the level of error messages, people may see problems or they may see nothing, but a few placeholders in an empty interface.

SEO and regular organic will be negatively impacted. If a site doesn't work for a few weeks while someone is making repairs it can be costly for a business.

What can be done?
  1. If the site is running PHP, then the code can be examined for functions beginning with mysql_ . Simply adding an "i" to the end of mysql can fix these issues in many cases, however this is not as good of a solution as using PHP's PDO library for connection.
  2. Any functions and the output of those functions all need to be rewritten to use the newer standards.
  3. While this can be a time consuming and sometimes expensive process; it is a lot less expensive to fix it before a server is upgraded, rather than having developers make edits to code on deadline when the website is down.

No comments:

Post a Comment

I'm going to read this before it goes live if you don't mind.