Hi, >> But unfortunately a dedicated server does not cost much more than virtual >> hosting anymore (just have a look at http://powerraq.com/ ). PHP is >> mostly pre-installed (with "dev settings" and not "production settings" - >> many admins even forget to switch on safe_mode) and this lazyness >> leads to thousands of insecure PHP installations on production >> machines.
> Why would you switch on safe_mode if you have a dedicated server? That > makes no sense. There is also nothing unsafe about the session code if > you are on a dedicated server. I meant renting a dedicated server for selling virtual hosting. But because safe_mode is so terribly limiting (file uploads dont work as desired etc..) many hosters just leave it "off". It's terrible, but I see it quite often. But I don't want to start again a discussion on this. Until Apache 2.0 has reached production quality, there is no standard method of making PHP secure. period. I actually got PHP scripts running "as user". I applied a patch to cgiwrap (I know, patching cgiwrap or SuEXEC is no-no) but I still want to test this thoroughly as I don't have any information about stability/security. There's quite a loss of speed (more latency) because of CGI and also because for example persistent database connections are not anymore possible. But at least I can execute shell commands (such as invoking http://www.imagemagick.org/ ) without any problems. Kind Regards, Daniel Lorch -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]