Testing and QA

Minimum PHP version for Moodle 2.5

 
Gmads
Minimum PHP version for Moodle 2.5
 

Hi,

As I'm in the process of cleaning-up and organizing my web installations, dev environment (WAMP), etc., I enabled a Moodle 2.5 installation, but I missed shutting off the Apache/2.2.20 + PHP/5.3.5 and turning on the one I had previously used with it: Apache/2.4.6 + PHP/5.4.17, as a result, when I tried to log in I got an "Invalid login, please try again" error message.

At first I assumed I had forgotten the password, so I created a new hash and saved it in the user table. Same result: invalid login.

Once I realized that I was using an old PHP version, I enabled a PHP 5.3.27 installation and then I was able to log in. After all this, I went and checked around a bit.

According to the download page, for Moodle 2.5 the minimum PHP version is 5.3.3, however, M 2.5 uses a new password hashing algorithm, which relies in the new prefixes ($2x$ or $2y$) introduced in PHP 5.3.7 to fix security weaknesses in the Blowfish implementation (PHP versions lower than 5.3.7 only support the $2a$ salt prefix); see: MDL-35332, improve security of hashed passwords.

I did some tests before posting here:

* With the $2y$10$ hash I had generated, I received the "Invalid login" message.

* When I used, either a $2a$10$, a $2a$08$ or an MD5 hash, I got the following message:

error/Failed to generate password hash. More information about this error.

I also got a Fail at the Test for functionality of compat library.

 

So, shouldn't PHP 5.3.7 be the minimum version for Moodle 2.5 and greater?

 
Average of ratings: -
Picture of Petr Skoda
Re: Minimum PHP version for Moodle 2.5
Core developersDocumentation writersPlugin developers
The minimum requirements are intended mostly for enterprise Linux installations with extended support and regular security backports. You are using Windows so please ALWAYS use the latest versions from http://windows.php.net/download/. Using 5.3.5 on Windows now is highly irresponsible and I hope nobody does that on production Windows servers.

We cannot change minimum version, but you are right that it is not possible to downgrade PHP on Windows. In Linux the situation is a bit different because distros with LTS support might have backported the new crypt features necessary for new password hashing.

Summary:
* all windows servers MUST use the latest PHP versions from each branch no matter what our minimal requirements say - now it is 5.4.25, 5.3.28 or 5.5.9) - there is absolutely no reason to use 5.3.5 on windows
* on Linux use some distribution with LTS backports or the latest packages compiled from upstream PHP source code
* regularly update PHP - check at least once a month
 
Average of ratings: Useful (3)
Gmads
Re: Minimum PHP version for Moodle 2.5
 

Hi Petr,

Thanks for your answer. I do agree about 5.3.5 being a very old version and, if I had a server, I would definitely not use it smile I use the latest versions allowed for WinXP, but I still have some old versions installed for testing purposes, but which I'm just in the process of discarding.

Well, maybe that summary could be added at the download page for the benefit of those users that may not be aware of the importance of having the latest versions.

 
Average of ratings: -