Uncategorized

Should PHP safemode be kept on or off?

Sending
User Rating 5 (1 vote)
What is safe mode in PHP
In PHP, safe mode is a security feature that was designed to prevent hackers from being able to use PHP scripts to execute commands at the operating system level (such as Linux shell commands).
It was intended to be a security method for web applications running on shared hosting accounts, as VPS and dedicated servers running single web hosting accounts did not need it. It never functioned well, however, and PHP developers have removed it from the upcoming version 6 release.

 
What’s the problem with the safe mode?
The core problem with Safe Mode is its inconsistency; in many situations, it works great and limits access to dangerous functions, however, all it takes is one allowed dangerous function to negate it completely.
 
What we should keep in mind if PHP safe mode is on?
The current best practice is to combine Safe Mode with a long list of functions for the "disabled_functions" parameter in the php.ini configuration file. This approach applies the Safe Mode restrictions to PHP as a whole and then specifically limits functions that can be used to work around it. Again, the problem with this approach is inconsistency; if even a single dangerous function is missed, the entire process is wasted.
 
So the question is, should we keep PHP safe mode on on or off and when we should do it?
In plain text, keep it off always. It doesn’t solve any security issue and will not be there from PHP 6 release.
“Turn it off. Always leave it off.”
 
It was designed way back when as a way to make PHP safe to use on mass hosts, and let the hosts "lock down" PHP.
But over time, it was realized that this didn't really work, and didn't really solve the problem anyway. There are better system-level ways of securing servers. So PHP is removing the functionality in the next major version and has it deprecated.
 
In case, if PHP safe mode is disabled and want to secure the system, what we should do?

We should use OS level security and we can use mod security for PHP at application level.
 
Conclusion
We may allow disabling PHP safe mode off as it will not cause serious issue.
 
For more information on PHP safe mode, visit this link: http://php.net/manual/en/features.safe-mode.php
 

Share your Thoughts