How many of you configure PHP in Safe mode?

What about setting open_basedir?

-t

Nope... we run PHP as a CGI, under suexec, which doesn't expose you to any more security vulnerabilities than any other script a user could upload.

That said, I'm looking forward to a release version of Apache 2.0 so we can offer PHP as a server module and still have scripts run with the user's permissions.

Yes, Apache 2.0 will be very interesting. BTW, has Covalent already released their commercial Apache 2.0?

I believe they have, which is odd, given that Apache 2.0 hasn't hit release yet. I guess they figure it's good enough. ;)