Safe Mode On/Off - Implications?

duckduckgoose

Hi there,

I was wondering if there is a typical way to run PHP, i.e., with Safe Mode On or Off? What are the implications of running it in Off mode? Is it dangerous to do so?

Thanks!

leatherback

safe mode on. Always

Your code is otherwise wide open for people to pass their own variables to your script. So -unless you are a careful coder- you are at risk of serious hijacking & data manipulation.

wilku

I wouldn't depend on safe_mode much. It will be gone in php 6.0 anyway.
A quote from "Month of PHP Bugs" by the former "chief" of php-security group:

Safemode and open_basedir are flawed by design and will always have security holes like this one (or all the local exploits we demonstrated). The security of your server setup should therefore NEVER rely on these directives.

On the MOPB there are two examples (for zip and bzip url wrappers) of fooling safe mode.