tags:

views:

386

answers:

1
Q: 

PHP safe_mode default value in PLESK 8.4 is ON. WHY?

Hi, I am wondering why is the default value of the PHP safe_mode ON in PLESK. I suspect it is a security issue but how exactly is this useful?

p.s. As an inexperienced web-developer I spend some hours wondering why the .php files were downloaded instead of run on my server. The reason was that this php default safe_mode was ON and I found the solution by just making random reasonable looking changes to the settings of the plesk control panel. By asking this question I want to find consolation for the frustrating time I lost on this ridiculous problem. For me not to run .php files by default and not explicitly explaining why they don't work is just retarded. Or maybe I am retarded ...

+2  A: 

The problem you have with your files being displayed instead of executed is independent of the setting for safe_mode.

safe_mode is crucial to ensure that your scripts can't perform potentially unsafe operations that might allow a hacker to break into your server.

It sounds like you've managed to randomly changed the setting that actually links .php files to mod_perl so that they run correctly, but if you don't know what you're doing you really should turn safe_mode back on.

Also, as a general rule of thumb when debugging problems: only change one thing at a time and then test between each change. This will help eliminate spurious assumptions about which change actually fixed the problem...

Alnitak  2009-04-29 15:22:19
what I should do is read about safe_mode. thank you.
chosta  2009-04-29 15:23:37
I did it one change at a time :). But this was a desperate move. I usually try to find more rational solutions by myself. Then Google, then forums, then Help file(never helped) and at the end just random actions of despair...
chosta  2009-04-29 15:26:59
safe_mode is an ugly hack, that prevents multiple users on a shared host from messing with each other. If you run your own server, there is no reason to have it turned on. This answer is right though - It's *not* the reason why you php-scripts aren't being processed.
troelskn  2009-04-29 19:15:28
even on a dedicated server it has its uses. I've seen a server p0wned because the PHP developer did "include $_GET['page'];" without safe mode (and allow_fopen_url on, too)
Alnitak  2009-04-29 20:23:45
@toelskn - actually, PHP is an ugly hack, and I say that as someone who's written quite a lot of it...
Alnitak  2009-04-29 21:55:54

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases