Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

When or for what Reasons should folks turn PHP Safemode ON/OFF?

Tags:

performance

php

safe-mode

Question about PHP safe-mode:
By default it is switched on in PLESK shared-hosting account environment: While on my site seems to work fine, but maybe it will work faster/better when off? I dont understand the below text very well, especially PHP's explanation:

PLESK:

By default, PHP is configured to operate in safe mode with functional restrictions. Some web applications may not work properly with safe mode enabled: If an application on a site fails due to safe mode, switch the safe mode off

PHP.net:

This feature has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged. The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now.

Question1: When/for what reasons should folks turn Safemode ON?
Question2: When/for what reasons should folks keep Safemode OFF?

like image 704
Sam Avatar asked Jan 20 '23 14:01

Sam

1 Answers

Turn it off. Always leave it off.

It was designed way back when as a way to make PHP safe to use on mass hosts, and let the hosts "lock down" PHP.

But over time, it was realized that this didn't really work, and didn't really solve the problem anyway. There are better system-level ways of securing servers. So PHP is removing the functionality in the next major version and has it deprecated.

So to directly answer your questions:

When should folks turn it on:

Never. It doesn't really work, and it limits what you can do with PHP in a sane way, so just don't turn it on.

When should folks keep it off:

Always. It doesn't really work, so there's no point to turning it on...

That's my $0.02 anyway...

Edit: Some references

Everything you can do to a server, you can do with Safe Mode on, including: It's possible to write to the webserver anyway. So what's the point?

A mailing list thread from PHP about removing it in 6

Edit2: About speed:

The speed difference is likely to be trivial at best. It's no more than a micro-optimization. You're going to get a far bigger gain by writing your code well than worrying about a specific configuration option such as this. Don't worry about the speed difference at all. Build your application properly, and worry about speed later. Not to mention that the choice of front end web server (Apache, IIS, Lighttpd, NginX, etc) and SAPI (mod_php, CGI, FastCGI, etc) will make a far bigger difference than safe_mode ever can...

like image 101
ircmaxell Avatar answered Jan 30 '23 14:01

ircmaxell
Sign in to Comment

Related questions

Facebook PHP SDK - Get user name and profile picture of my app users without requiring facebook connect
PHP: Can range() be used for fractions?
get unix timestamp using php
Passing values to MySQL IN operation in PDO prepared statement?
PHP SimpleXML: Remove items with for
Problem connecting with PDO
IMEI validation function
PHP Constant References
php - array map using public function callback within class
PHP Session string limit
Can you get this same Java SHA-1 in PHP please?
how to set PHP_AUTH_PW in php curl
How does Wordpress rewrite the URL without a rewrite map?
Cakephp's beforeSave not retaining new data when using saveAll?
Paging MySQL results with PHP
Restrict User Activity Based on IP or on Cookie?
How safe is it to use phpass between several servers?
who is developing PHP database extensions such as PDO, mysql, mysqli?
Access apache errordocument directive from PHP
Stack Overflow style tagging system in jquery

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!