All geek questions in one place

When or why should people turn on PHP Safemode ON / OFF?

PHP safe mode question:
By default, it is enabled in the PLESK shared account environment: Although it seems to work fine on my site, but maybe it will work faster / better when it is turned off? I don't understand the text below very well, especially the PHP explanation:

PLESK:

By default, PHP is configured to work in safe mode with functional limitations. Some web applications may not work correctly with safe mode turned on: if the application on the site crashes due to safe mode, disable safe mode

PHP.net:

This function has been DEPRECATED since PHP 5.3.0. Relying on this feature is highly discouraged. PHP safe mode is an attempt to solve a security problem with a shared server. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS level are not very realistic, many people, especially Internet service providers, now use safe mode.

Question1: When / for what reasons should people turn Safemode ON on?
Question2: When / for what reasons should people keep Safemode OFF?

+4
source share
2 answers

Unplug it. Always leave it.

It was designed as a way to make PHP safe for use on mass hosts and allow hosts to "block" PHP.

But over time, it was realized that this did not actually work, and in any case did not solve the problem. There are more effective ways to protect servers at the system level. Thus, PHP removes functionality in the next major version and abandons it.

So, to directly answer your questions:

When people should turn it on:

Never. It really doesn't work, and it limits what you can do with PHP in a smart way, so just don't turn it on.

When people should turn it off:

Always. This does not work, so it makes no sense to enable it ...

What is my $ 0.02 anyway ...

Edit: some links

Everything that you can do on the server, you can do in safe mode, including: In any case, it is possible to write to the web server . So what is the point?

PHP mailing list sheet about deleting it in 6

Edit2 : About speed:

In the best case, the speed difference can be trivial. This is nothing more than micro optimization. You will get a much bigger gain by writing your code, rather than worrying about a specific configuration parameter such as this. Do not worry about the speed difference at all. Build the app correctly and take care of speed later. Not to mention that the choice of a front-end web server (Apache, IIS, Lighttpd, NginX, etc.) and SAPI (mod_php, CGI, FastCGI, etc.) will have a much greater difference than safe_mode when -or...

+7
source

Safe mode adds some restrictions to file system related functions and process processing functions (and some completely unrelated cURL parameters). This is currently considered meaningless since it can be bypassed on shared hosting servers using Perl or Python or bash -CGI. Professional hosters use suexec and mod_chroot.

This can be useful if you want to use legacy scripts (however, a good idea is open to discussion). Although this does not solve all problems, restrictions can help reduce risks. This is thus a better solution such as mod_security.

As for speed; it is measurable, but not significant.

+2
source

Source: https://habr.com/ru/post/1338259/

More articles:


All Articles