Hi,
This topic was already discussed in bugtraq and there should also be an
entry in the PHP bug database about this:
http://www.securityfocus.com/archive/1/250196
http://www.securityfocus.com/archive/1/250593
i fully support rasmus, saying that we should mention the default
But unfortunately a dedicated server does not cost much more than virtual
hosting anymore (just have a look at http://powerraq.com/ ). PHP is
mostly pre-installed (with dev settings and not production settings -
many admins even forget to switch on safe_mode) and this lazyness
leads to
Why would you switch on safe_mode if you have a dedicated server? That
makes no sense.
It can be useful to minimise the damage in case someone finds a hole
in your PHP scripts, and the hole allows them to access files on
the server.
--
Ivan Ristic, [EMAIL PROTECTED]
[ Weblog on PHP,