What security risks are there of having php not running in safe mode? I have a few php scripts, that give me errors becuase php is running in safe mode.

If you are the only person on the server, or if all the people on your server are trusted by you, then it might be OK to have safe_mode turned off. Otherwise, leave it on.

Without safe_mode, anyone who can put a php script on your system will have access to all of the world-readable files on your server.

My suggestion would be to find out how to config the server to allow safe_mode to be left turned on.

If you haven't already, look here (http://www.php.net/manual/en/features.safe-mode.php) for more info.

Use php in cgi mode with suexec, all scripts guaranteed to work, safely :)

Or, it might be a good idea to use both. Use Apache module version with safe mode if you need performance, or use cgi mode if you need more flexibility.

Or turn off safe mode just for that single domain. It can be done...

Don't do it for the entire server, or your customers will be able to execute shell commands trough the use of php. You might as well just shoot yourself in the leg instead :D

Ales

Well my cutomer's don't have access to FTP, or SSH, they just see their site, I build their site, and they see it...so it would be safe to turn it off, since I'm the only one with any access, correct?

Hmm... yes, in this case I don't see how they could compromise the server. If you turn it off just for this particular site and as long as these scripts you mentioned are not harmful, you should be safe.

I think safe_mode is not bad because you gain more security (as already been said) but is should be used properly. I know a host who set openbasedir to the webspace instead of the user's home dir. This is not very usable.

As a host you must see that turning on safe_mode means to get more support requests from your users because they can't do all the things that they can find in their PHP tutorials, so you have more work.

You should also be aware that safe_mode will not give you ultimate security, because it only closes one possible security leak. I prefer to not use safe_mode and try to implement security within my scripts as much as possible.

Marian