Consequences of changing safe_mode, register_globals settings midstream

new7media

Hi there - I have just completed a web site project that includes content management tools that I wrote. Simple/straightforward stuff - the tools let you add/edit/remove text content to/from a database and do some uploading. On the other side of things, the site is totally dynamic and so there are calls to the database to display this and that type of content. There are two really simple forms -- eg., "subscribe to our newsletter" that takes a name and email address -- that simply take form input and send it to a person using PHP's mail() function. There is no sensitive information at all in this site or being sent via email. It's sort of a glorified online brochure really.

The site is up and running and everything works flawlessly. We were just about to modify the domain name when out of the blue we were asked to ensure that register_globals was set to off (really wish I had started with that...my bad) and that we "set safe mode".

I'm not sure what is meant by setting safe mode. Right now our PHP config shows the following for the particular directives we were asked to "set":

Directive.............................................Local Value..................Master Value
safe_mode.........................................On...............................On
safe_mode_allowed_env_vars..........PHP............................PHP
safe_mode_protected_env_vars.......LD_LIBRARY_PATH.......LD_LIBRARY_PATH

Where register_globals is concerned, this setting is currently "Off".

I'm thinking safe_mode is nailed. Am I wrong?

I'm not sure what will happen if I simply switch register_globals to off so I haven't yet. What should I do first to ensure that nothing gets broken in this last-minute change? Only one application running on the site was snagged from hotscripts and it's the only one that uses variables like $_POST. I'm figuring this may become a problem? Oh - and we also use phpMyAdmin for dbase administration but this is a lesser concern, though still on my mind.

Any advice or heads-up on this pending switch-up is much appreciated! Oh yes - we are using PHP Version 4.3.10 on a Linux server. Thanks!

vaaaska

You'll probably just need to try it and see what happens.

As long as you've been using correct coding techniques you shouldn't have problems except if you are creating files and folders on the server - safe_mode could have alot of issues with that.

Using $POST and $GET for all your submits and references should help you get by the globals issues...

http://www.php.net/security/

new7media

Are you saying that our current safe_mode settings need to change? Right now safe_mode is set to "On". We do upload files -- graphics and PDFs -- and save them to the server through a PHP script. That is working fine as is, with safe_mode set to on.

Thanks for the link -- reading that now.

vaaaska

That should be ok. Should be. If you are trying to edit or delete any of these things via other scripts it could be an issue. This link will give you the full scoop:

http://php.belnet.be/manual/en/features.safe-mode.functions.php