PHP Security updates and Web Platform Installer

So, I finally eased up and started doing things the easy way, like using the Microsoft Web Platform Installer 3.0 to setup PHP, Wordpress and the dependencies. And the initial install is a rather impressive experience.

But, last week, a critical PHP flaw was revealed and patched. I could not find a way to upgrade through the web installer so I manually patched things on one server. This required a bit of PHP.INI fixing as it doesn’t come packaged with gd2 and mssql. The rest of my team isn’t quite up to manual PHP patching, so I’d rather not continue down this path.

Is there a way to get updates in the WPI 3.0? If so, how?

From what I know WPI uses a XML files that list all the files and URLs and downloads these packages directly from the source. Maybe it would be possible to manually edit this XML file with an updated URL to the PHP binaries. Or maybe just wait for Microsoft to update that very same file WPI downloads every time. However, I do not know how long that takes them.

Now as for updating PHP, you probably really only needed to replace the updated binary files and left everything else as it was. If this was just a minor version update that is.

Edit. I just looked WPI has PHP 5.2.17 now. I personally wish they would use 5.3 now, but eh.

Yes, it basically takes an ATOM feed if I recall correctly. That said, I was really trying to stay out of the business of manually patching PHP. And I’m not familiar enough with the platform to know which of the binary dependencies matter or need to be versioned these days.

Anyhow, yup, the 2.0 installer has it. But the WPI 3.0 is still stuck at PHP 5.2.14/PHP 5.3.3.

This is so much less fun than it was getting PHP stood up in production on IIS6 while keeping permissions minimal. Those days did make you a man.

Off Topic:

Love the license!

Update: looks like it wasn’t updated because MSFT was busy doing stuff like releasing the web platform installler 3.0. My timing just sucked.