PDA

View Full Version : php safe mode



TDM_FDM
08-30-2003, 12:39 PM
Hi,

We have made php safe mode on and got complains from customers and made php sare mode on. It anyway I can avoid this?

Jimbob
08-31-2003, 05:27 AM
Im not realy sure what you mean...

I dont know what your reasons for having safe mode on are but it unless you are giveing away free hosting it will just drive cliants away. Many PHP progarms depend on having Safe Mode set to Off, so yes, you will get lots of complaints with it on.

THD
09-10-2003, 01:31 PM
Safe_Mode off however poses certain security risks, and you also get many complaints from people concerned about their sites security. ;)

Jimbob
09-10-2003, 01:40 PM
How many people, who are PHP progarmers, are going to buy hosting if PHP safemode is on? Not many. Many PHP scripts require it to bee off to work to their full.

You can always configure php.ini to make it safer but even with safe mode on there are always going to be security holes.

I dont think you would get many people who are concerned about the safety of their site if they are with a good, reliable, host who keeps their version of PHP and any other sofware they have upto date. Your server will never be 'un-hackable', it just a matter of making it as hard as possible for people who want to cause damage to other peoples sites and server.

THD
09-10-2003, 02:00 PM
I agree that a site can never be "un-hackable".

However, that doesn't mean that just because it's impossible to make it 100% un-hackable you should just throw all security out the door... everything little thing does help ;)

Let me just take a second here to explain exactly what Safe_Mode does, as I think most don't even know...

With Safe_Mode off, if your a shared host, you allow everyone on the server to "walk" through the server. They can view my files & directories, as well as theirs. Obviously this is not only a security risk, but a privacy issue as well.
They can not however view the contents of my files, but after they have got the names & directory it is stored in, figuring out how to view them won't be that hard.

You continue to state that Safe_Mode needs to be off because many scripts require that it is off, well let me tell you, I ran a PHP coding site for 3 YEARS with Safe_Mode on and I never had a problem with over 400 different scripts!
Also, any script can run under Safe_Mode, it just depends how it's coded. In fact, most "big" scripts even have seperate versions, or patches, to run under Safe_Mode. :cool:


Having Safe_Mode on as stated above will NOT make your clients sites un-hackable, but it will make it a lot harder for the script kiddies to wreak havoc, which is equally important. ;)

ProWebUK
10-02-2003, 12:30 PM
every server will have security holes no matter how good the software, no matter how good server adminstrator, no matter how good the host. A hacker only needs to find 1 hole, the least any server adminsitrator you can do is keep the amount of holes there to a minimum, every known hole should be fxed with any patches available. Whether you believe it or not, safe mode is there for a reason ;) . If a client requires it off, turn it off, else it can stay on!


I agree that a site can never be "un-hackable".

However, that doesn't mean that just because it's impossible to make it 100% un-hackable you should just throw all security out the door... everything little thing does help ;)

Let me just take a second here to explain exactly what Safe_Mode does, as I think most don't even know...

With Safe_Mode off, if your a shared host, you allow everyone on the server to "walk" through the server. They can view my files & directories, as well as theirs. Obviously this is not only a security risk, but a privacy issue as well.
They can not however view the contents of my files, but after they have got the names & directory it is stored in, figuring out how to view them won't be that hard.

You continue to state that Safe_Mode needs to be off because many scripts require that it is off, well let me tell you, I ran a PHP coding site for 3 YEARS with Safe_Mode on and I never had a problem with over 400 different scripts!
Also, any script can run under Safe_Mode, it just depends how it's coded. In fact, most "big" scripts even have seperate versions, or patches, to run under Safe_Mode. :cool:


Having Safe_Mode on as stated above will NOT make your clients sites un-hackable, but it will make it a lot harder for the script kiddies to wreak havoc, which is equally important. ;)