1

PHP 5.4 finally removed safe_mode and magic quotes.

Are there any alternatives to them? To enhance the security level?

NikiC
  • 100,734
  • 37
  • 191
  • 225
BlzOfHK
  • 61
  • 12
  • to what degree do you need to enhance security? is this for a hosting company or private/dedicated servers? – Ken Jun 13 '11 at 15:02
  • I meant that are there other ways similar to safe_mode but give better securing with less problems ? – BlzOfHK Jun 13 '11 at 20:24
  • 2
    Better applications make it more secure. `safe_mode` doesn't help you, but make everything more complex. There are good reasons, why they get cancelled. – KingCrunch Jun 14 '11 at 17:37
  • What parts of safe mode do you want to emulate exactly? You'll need to give some detail for people to make some suggestions – Pekka Jun 14 '11 at 17:39
  • 2
    Why don't you accept answers. – Sebastian Mach Jul 13 '11 at 10:04

1 Answers1

4

I think the point of removing these features is that the PHP development team acknowledges that implementing security features/mechanisms in the application stack is not a panacea for securing Web applications.

There shouldn't be direct code/configuration substitutes for these features in PHP. Instead:

  • application developers should be more explicit about such things as reading in values from requests and the environment AND validating and escaping values, instead of letting features like register_globals and magic_quotes do so indiscriminantly.
  • system engineers and system developers should consider permissions for all filesystem resources required by an application rather than having safe_mode limit the accessiblity and efficacy of built-in functions.

I'm sure someone will try to figure out how to re-create these features, and there will be a lot of late adopters that choose to stay on earlier versions of PHP instead of addressing security directly. But if you really are concerned about security, don't look for shortcuts.

AJ.
  • 27,586
  • 18
  • 84
  • 94