PHP :: Disable Safe Mode Without Loss Of Security ?

SAFE MODE
I'm devoloping a web gallery in php. The user may upload images
for every news posted. Every news has a internal number that references a
folder with the same name that the new. The folder has 2 folders inside
called 'main' and 'thumb', for big images and thumbnails.
This may appear like this

/123
/main
photo1.jpg
photo2.jpg
/thumb
photo1.jpg
photo2.jpg
/124
/main
photo51.jpg
photo32.jpg
/thumb
photo51.jpg
photo32.jpg

do you understand? I try to make the folders on the fly with mkdir, but
SAFE MODE is activated, so I can't do anything inside the folder I have
just created.

Safe Mode
it's running on Linux RedHat, with Apache 2.0.52.

i'm getting the following errors:
Warning: shell_exec(): Cannot execute using backquotes in Safe Mode in
/var/www/html/......
and
Warning: fopen(): SAFE MODE Restriction in effect. The script whose uid
is 500 is not allowed to access /proc/uptime owned by uid 0 in
/var/www/html/xxx.php on line 4

In my php.ini file, i have
safe_mode = false
i tried safe_mode = 0 or OFF, but same problem.

Disbling Safe-mode On The Fly?
I was wondering if anyone could tell me how to disable safe_mode on the fly. I tried using ini_set, but it always returns that is enabled, even after I set it to be disabled.

Mkdir Possible Under Safe Mode?
I am trying to create dirs for storing photo-albums per directory. I can create these with mkdir(). But i am not able to access the dirs. I get the message "script with UID 1234 cannot acces dir which is owned by UID 12".

How can I circumvent this problem? (except ftp_mkdir which only shifts the problem: the dir is then owned by the ftp user)

Using Parse_ini_file() In Safe Mode
Is there a way to get php to do a parse_ini_file() in safe_mode without
turning the entire safe_mode off?

Safe Mode And Passthru
I seem to be getting some inconsistent results when using passthru()
in safe mode. They appear to be related to the fact that passthru
should treat all command arguments as one single argument when safe
mode is on. Everything works just fine on my MacOS X webserver (
Apache 1.3.29 with PHP 4.3.6 ). But on my Linux Enterprise 3.0
production server (running Apache 2.0.46 with PHP 4.3.2) things are
different.

Here are the argument(s) that passthru hands to my command when safe
mode is off:

rrdtool args: graph - --start -3600 --end N --width 300 --height 75
--lower-limit 0 --rigid --title BaBarCM2 Grid Load last hour
--vertical-label Load/Procs
DEF:load_one=/u2/ganglia/rrds/BaBarCM2/__SummaryInfo__/load_one.rrd:sum:AVERAGE
DEF:proc_run=/u2/ganglia/rrds/BaBarCM2/__SummaryInfo__/proc_run.rrd:sum:AVERAGE
DEF:cpu_num=/u2/ganglia/rrds/BaBarCM2/__SummaryInfo__/cpu_num.rrd:sum:AVERAGE
DEF:num_nodes=/u2/ganglia/rrds/BaBarCM2/__SummaryInfo__/cpu_num.rrd:num:AVERAGE
AREA:load_one#CCCCCC:1-min Load LINE2:num_nodes#00FF00:Nodes
LINE2:cpu_num#FF0000:CPUs LINE2:proc_run#0000FF:Running Processes

And this is what passthru hands to my command when safe mode is on:

rrdtool args: graph - --start -3600 --end N --width 300 --height 75
--lower-limit 0 --rigid --title 'BaBarCM2 Grid Load last hour'
--vertical-label 'Load/Procs'
DEF:'load_one'='/u2/ganglia/rrds/BaBarCM2/__SummaryInfo__/load_one.rrd':'sum':AVERAGE
DEF:'proc_run'='/u2/ganglia/rrds/BaBarCM2/__SummaryInfo__/proc_run.rrd':'sum':AVERAGE
DEF:'cpu_num'='/u2/ganglia/rrds/BaBarCM2/__SummaryInfo__/cpu_num.rrd':'sum':AVERAGE
DEF:'num_nodes'='/u2/ganglia/rrds/BaBarCM2/__SummaryInfo__/cpu_num.rrd':'num':AVERAGE
AREA:'load_one'#CCCCCC:Ƈ-min Load' LINE2:'num_nodes'#00FF00:'Nodes'
LINE2:'cpu_num'#FF0000:'CPUs' LINE2:'proc_run'#0000FF:'Running
Processes'

The quotes are still there. Why am I not getting consistent behaviour
on both platforms? Is this a bug in php 4.3.2 or 4.3.6?

Safe Mode / Directories
I created a directory with PHP mkdir (mode 0777). Then I try to
move_ulpoaded_file() to move a file into this directory. I get an error:

Warning: move_uploaded_file(): SAFE MODE Restriction in effect. The script
whose uid is 1999 is not allowed to access
/home/www/ww4592/html/fs/PHP/Dateien/Bereich_1/NEUER_ORDNER owned by uid 33
in /home/www/ww4592/html/fs/PHP/File.php on line 57

The webspace is at a webhost-company, not on my own server. I think I
understand the restrictions of SAFE MODE, but I do not understand why a
script has another uid than a directory created by the very same script!

Is the error above the "normal" bevaviour if SAFE MODE is on?

If it is: That is a drastic limitation. If I say to a client "I need
webspace with PHP" and I get that SAFE MODE-stuff would it not be right to
say that that is no fully working PHP-Webspace? I mean a webspace that does
not allow a directory to be created and a file moved into it does not really
support PHP -- it's a joke! Any opinions?

Safe Mode Survey
I am developing a script which could be very powerful, but only if safe mode is turned off. I don't know if it's worth developing or not since I have no idea how many people's servers have safe mode off...

Safe Mode And Mail
safe mode on and mass mailing wished. I know that it's not possible to set time limit, when safe mode is on. Sure mass mailing using mail function takes longer than default execution time of the script. My codes should be portable, that why modification of php.ini is not an option.

Also the users shouldn't be experinced and authorized to do this. In brief, I have to find a solution without a need to work in shell. So, due to my theoratical knowledge it seems to be a solution, to queue the mails to sendmail by using popen. Is it true? Or what could be your suggestion for this issue.

Gallery In Safe Mode?
can anyone tell me whether there is a gallery application available that
works in "safe mode"? I'd rather not have to write my own if someone's done
it already...

Safe Mode Question
I have a program (site_bot, found at phpclasses.org)
that

1) recursively reads a file system starting at
locationA, and stores lots of filesystem info
in a mysql schema on the fly.

2) mirrors the directory structure found at locationA
to locationB

3) processes the info in the schema and writes static
html code into the mirrored directory structure
at locationB.

This code works flawlessly at several (edu) sites where
the nefarious safe_mode is Off. I recently tried
to set this code up on in commercial virtual host
environment, and ran into catch22 at every step.

With safe_mode On, user apache cannot mkdir recursively
inside a filesystem that belongs to login user.
If I chown the program code and the write_to directory
so they belong to the apache pseudo user, then the
apache process has the requisite write access, but
fails when trying to read the source directory (locationA).
chmod 777 on the source dir doesn't seem to fix the
read access problem (for user apache).

This is a showstopper, because the whole system
revolves around the user's ability to add images,
text files and html fragments to locationA (to
become generated html).

If the host provider refuses to turn off safe_mode,
is there any other way to (to set file permissions
or whatever) so php with safe mode can read from
user files and write the server side file system.

My host provider doesn't even seem to understand
the problem, let alone know how to fix it.

Safe Mode Problem
I have a script that builds up galleries of pictures and then let people vote on them. The script admin is in a folder named: /admin and includes all db
connections.

Then each galleries generated by the script goes into
/galleries/name1.2.3.etc...

So I used to connect to my db for the voting using
include("../admin/db_func.php");
but now that safe mode is on I cant make it work anymore.

Imagejpeg() Due To Safe Mode?
The following script used to work great. I hadn't used it for a long time and in the meantime I guess, things changed with php (safe mode? etc.).

I get the following error now when trying to scale an image:

Warning: imagejpeg() [function.imagejpeg]: Unable to open '/home/domain/public_html/fileresize/temp/18d7011550ad5fa215d9e089a5aa27aa-image.jpeg' for writing in /home/domain/public_html/fileresize/resizejpg.php on line 90
I searched and found recommendations to use touch();

I tried that and it still doesn't work. So I don't know if I'm putting touch(); in the wrong place, or what else might be wrong. I'm really hoping someone can help get this working again. It's for a non-profit animal rescue website and having the image resize is vital to what I need to accomplish. Code:

Safe Mode & Files Manipulation
I'm trying to make my scripts work in safe mode for a few days and I'm starting to be really confused about the restrictions of the filesystem functions using this mode. I wonder if anyone could explain it to me..

The thing I know is that if you upload a PHP script through FTP, the user of this script is usually the site user (on my RAQ4 it's "siteX", with X being the ID of the site). On the other hand, if a PHP script create a file or directory (using copy, open, mkdir and other functions), the user of this file/directory is the apache user (usually httpd).

(I believe this is solved in Apache 2.0 but it will be a loooong way until enough people upgrade to this version... )

From my tests, I found out that deleting a file (using the unlink() function) which has been created by a PHP script (so the UID is not the same) works! Reading or overwritting a file with a different UID is also not a problem. On the other hand if the directory where this file is located does *not* have the same UID, it fails. This is not what is written on the documentation for unlink():

"Checks whether the file(s)/directories you are about to operate on have the same UID as the script that is being executed. Checks whether the directory in which you are about to operate has the same UID as the script that is being executed."

Includes seems to work the same way, although I have not tested it extensively. IE: you can't include a file if the directory where this file is located doesn't have the same UID, but it works fine even if the included file has a different UID.

So it seems that files functions are not a problem in safe mode as long as the directories are not created by a PHP script. Is this true or is there another explaination? The PHP docs are very unclear about safe mode restrictions, they even admit it ("This is a still probably incomplete and possibly incorrect listing of the functions limited by safe mode.") so hopefully someone can enlight me on this subject.

PHP: Upload Problem When Safe Mode ON
I have a file called upload.php: PHP Code:

File Uploads With Php In Safe Mode
I wrote some code that handles file uploads with php in safe mode, but it raises some questions and I'm not sure if I like it or not. So I would appreciate some advice or answers to this:

A host runs PHP in safe mode which prevents using copy() for file uploads. Instead I could use system() or exec() to move/copy the file to the desired destination. But since I prefer letting PHP handle this stuff, I decided to try using move_uploaded_file() to see what would happen. And that worked...
Which made me wonder why I could move a file, but I couldn't copy it. Shouldn't it be the other way around? Some extracted code:

$upfile is the filename from the upload form
$newfilename is the desired new filename concatenated with the desired path

// This will not work if PHP is in safe mode
if (copy($upfile, "desiredpath/" .$newfilename)) {
// OK! }

// But this will work if PHP is in safe mode
if (move_uploaded_file($upfile, "desiredpath/" .$newfilename)) {
// OK! }

I didn't explore how to use system() or exec() to move/copy the file, but could someone shed some light on how/why to use that instead? And what's the file rights difference between copy and move in this case?

SAFE MODE,fopen, And Chmod
I have a free php hosting account (a LAMP host) with an account name
(also the name of my directory) 'sample'.
Under 'sample', I have php scripts which can create files and folders
programmatically. I have manually created a directory called 'users'
under 'sample' and have given it a chmod 777 successfully.[color=blue]
>From my script in 'sample', say myscript.php, I can successfully create[/color]
any number of files inside sample/users/, say, sample/users/aaaaa.txt,
sample/users/bbbbb.css, etc. I can also create directories at runtime,
say, sample/users/mydir1, sample/users/mydir2 etc. and can also
successfully chmod each to 777 (all this from myscript.php).
The host is "running in SAFE MODE", where, it seems that for fopen,
mkdir and many other functions, a check is done for the UID of the
script-running process to be the same as the UID of each resource
concerned(mydir1, mydir2, aaaaa.txt etc) and only if the UIDs match, is
the function allowed to work successfully.

The problem is that while I can make all these directories(mydir1,
mydir2, etc) under sample/users and files aaaaa.txt and bbbbb.css under
sample/users, I cannot make files inside mydir1, mydir2 etc. _inspite_
of the fact that I can _successfully_(confirmed from independent
filemanager utility) chmod all these created directories to 777.

The message I get is something like: Warning fopen(): SAFE MODE
restriction, the script whose UID is 12878 is not allowed to access
sample/users/mydir3 owned by UID 99 in /path/to/script/myscript.php on
line 484.

This inspite of the fact that the newly created sample/users/mydir3 has
been successfully chmodded to 777 as is visible from the host's
filemanager utility!

The same script has in the prior lines created the directory
sample/users/mydir3 and many files like sample/users/ccccc.css,
sample/users/dddddd.css and so on, without a problem. Plus, not having
permissions on mydir3 is ruled out because the script just made it
itself and chmodded it to 777.

Safe Mode & File Upload
Is there any solution to create a directory with one script
with mkdir(), and then write a file (or move an uploaded file) in this
directory with another script?

The problem is, that the directory belongs to the PHP-interpreter (UID
33 in my case) and the script doing the file creation and the one
creating the directory belong to the FTP-user (UID 754 in my case).

I just can't create diffenent directories and write some pictures in.

My provider doesn't want to turn off Safe Mode.

Mail() - Fifth Parameter In SAFE MODE
I want to send mail with the function mail().
I am on a shared server in SAFE MODE.

When I send a mail I get the message:
"SAFE MODE Restriction in effect.
The fifth parameter is disabled in SAFE MODE"

But I need the fifth parameter, because it is the only way to set my
own Return-Path (instead of nobody@server....)

I tried this too:

echo ini_set("safe_mode",0);
mail($admin, $subject, $message, $head, "-f$email"))
echo ini_set("safe_mode",1);

but it does't work.

PHP Script To Turn Off Safe Mode
I have a web site on an isp and i need a page to upload a file. The php setting on the isp php.ini has Safe_mode on and i need it turned off for this script to run properly. I do not have access to the php.ini file so is there any script that will turn off safe_mode for the duration of the script. If there is no such script does anybody know how i could upload a file with safe_mode on?

Image Gallery In Safe Mode
Has any of you fine people found a PHP image gallery that works in Safe
Mode?

I am fed up with downloading one after another when they all seem to fall
down in Safe Mode!!! :-(

I could just write one myself, but it seems a bit excessive when there must
be one out there,

Php Safe Mode And Uploading Images
I am trying to upload an image to my school server, however it is in safe mode. I am developing a webpage for a club and would like to be able to upload images using a single php script. I have searched around and want to make sure if it is even possible to upload in safe mode with PHP version 4.4.2. This is the code I currently have:

$uploaddir = "upload/";

if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploaddir.$_FILES['userfile']['name']))
   {
   echo "file uploaded";
}

   else
   {
      echo '</br>';
echo "error!";
echo '</br>';
echo $_FILES['userfile']['error'];
      echo '</br>';
}

I have set all the right permissions to the upload folder and I know my form is right. I got the form code by searching google and referencing a php book I have. By the way, the error I get when I try and upload something is 0.

Openbase_dir Problem With Mod_vhost_alias And Safe Mode
I am having problems with apache running with mod_vhost_alias with php scripts. Php is running with safe mode on and I am limiting openbase_dir with .

My config is like the following :
<VirtualHost ...........>
..................
VirtualDocumentRoot /services/web/%0
VirtualScriptAlias /services/web/%0/cgi-bin/
### START PHP SETTINGS
php_admin_value safe_mode On
php_admin_value open_basedir .
php_admin_value include_path .
### END PHP SETTINGS
</VirtualHost>

The problem with this configuration is with people running php scripts can not use include "../script.php". For ex a script in
/services/web/domain/dir1/dir2/script.php can not include
"../script.php" although it is perfectly safe.

I have tried something like :
php_admin_value open_basedir /services/web/%0
but it did not work out as I intended.

Can someone please tell me is there a way to fix this situation ?
I don't want to define for every user <directory>...</directory> and hard-code openbase_dir values as it would defeat the purpose of using mod_vhost_alias ...

Installation Of Gallery, Safe Mode Problem
I'm having a problem with the installation of Gallery (http://gallery.sourceforge.net). My host has recently 'upgraded' the server and thus runs PHP in Safe mode.
How can I get around this?? Looking on Gallery's site, it instructs to run PHP as a CGI, something I'm not familliar with...

http://gallery.menalto.com/modules....=yes&id_cat=2#5

I've tried to download the source PHP and compile it on the server put it says "can't guess hostname" or something like that..

Safe Mode, Upload_tmp_dir - Case With Upload
my privider set:
safe_mode to ON and leave upload_tmp_dir blank
I think that there is the reason for my trouble with upload files via
POST method. If yes - I will ask my provider for changes but first I
would like to ask You. Can you ensure me?
thx in advance,
Rob

PS If I am wrong, the explanation: files are uploaded to tmp dir, but
if I check by file_exists() the result is false. If I use
move_uploaded_file() the result is the same: false.

Safe Mode To Insert Data In Database?
Hi what is the safe(est) mode to insert data (exmple email address) into database?
Example:

$query_return = mysql_query("INSERT INTO e_group (e_group_email) VALUES ('".$_POST['e_group_email]");
if(!$query_return) {
echo mysql_error();
exit;}

I heard about a slash (/) to put is somewhere when I want to email dont be a cached on the fly between a post and inserted into dbase - I think its good for a password too.

Copy(), Move_uploaded_file(): SAFE MODE Restriction In Effect
Is there any way to get around a safe mode and upload and move files?

What I need to do...Upload file...Move to images...Put file name in mysql db ... I know how to do all this, but when trying to move the file..

Using Move_uploaded_file

arning: move_uploaded_file(): SAFE MODE Restriction in effect. The script whose uid is 32038 is not allowed to access / owned by uid 0 in /home/chasesch/public_html/client/admin/upload.php on line 4

Using copy() and unlink()

Warning: copy(): SAFE MODE Restriction in effect. The script whose uid is 32038 is not allowed to access / owned by uid 0 in /home/chasesch/public_html/client/admin/upload.php on line 5

Global Turned Off & SAFE MODE Restriction In Effect
I need a Host based in North America that will allow Global settings
to be on and the Safe Mode restriction off...

Warning: Mail(): SAFE MODE Restriction In Effect.
Could the new PHP bug that results in SS includes reporting a streaming data error be associated with the SAFE MODE option? I have one host running my script perfectly with no errors, and the other host (with safe mode enabled), reporting the include error?!?

Also, is there a way around the following error when running safe mode:

Warning: mail(): SAFE MODE Restriction in effect. The fifth parameter is disabled in SAFE MODE. in /www/displaycasestor.com/www/bin/test/order-online-new-results.php on line 338
Code:

Warning: Main(): SAFE MODE Restriction In Effect.
There are 2 values for safe_mode . Local and Master. Why is local value OFF and Master value ON. I want my safe_mode to be OFF on server, becoz it is giving me this error:

Warning: main(): SAFE MODE Restriction in effect. The script whose uid is 33 is not allowed to access ../../../../library/CConnection.php owned by uid 0 in /var/www/vhosts/default/htdocs/publisher/abhi1234/Tv_today/issue2/magazine.php on line 2

Warning: main(../../../../library/CConnection.php): failed to open stream: Success in
/var/www/vhosts/default/htdocs/publisher/abhi1234/Tv_today/issue2/magazine.php on line 2

Warning: main(): SAFE MODE Restriction in effect. The script whose uid is 33 is not allowed to access ../../../../library/CConnection.php owned by uid 0 in /var/www/vhosts/default/htdocs/publisher/abhi1234/Tv_today/issue2/magazine.php on line 2

Advanced Filesystem Usage (Warning: SAFE MODE Restriction In Effect.)
I'm working on the automatic News insertion functionality, which is simple enough in itself. But where I'm having the problem is dealing with uploading image files. Since we use screenshots from in game as pictures to give viewers a more interesting view of what the news article is about, I need to be able to store images for the news files on the server.

Now, I could store all the images in one images folder, but I wanted to do something different. Which, with the form that I created to allows uploading of images, it will store them in a subdirectory of the images/ folder that is similar to the current date they were uploaded on. ie today would go into "images/04.15.03/file.gif" basically.

I'm authenticating the uploaded file fine from what I can tell. The hard part first came in getting the subdirectories to be created with the mkdir() command. At first it just wouldn't do it, after trying several ways. Finally I figured out I had to change the priveleges of the directory on the server. After that I was able to create subdirectories in PHP. Problem is, I'm using move_uploaded_file() which is considered safer and works better in safe mode. But I'm recieving the following error.

Warning: SAFE MODE Restriction in effect. The script whose uid is 547 is not allowed to access /%mybasedir_hiddenfrom you%/images/04.15.03 owned by uid 48 in /%mybasedir_hiddenfrom you%/classes/class.files.php on line 225

The line it points to is the move_uploaded_file() function. From what I've heard through safe mode you can't upload to dir's you create or something due to the owner of them. But I already set the created dir to full priveleges.

I'm wondering if there is a way to sort of log into the apache server via php and create the directly as the site owner that way. Here are the code snippets: PHP Code:

"Admin Mode" Variable. Safe Method?
I'm currently developing a site that lists a number of articles using a PHP loop that pulls data from a MySQL database. In this loop (i.e for each article) I have an IF statement: if ($adminMode == true) echo 'Administrator only stuff';

Basically, the site will either operate in normal mode if the $adminMode variable is false, otherwise it will operate in admin mode with all the extra admin content therein (like an 'edit' or 'delete' link for example). Now, in order to set the $adminMode variable, I have a seperate file called admin.php which is protected by a .htaccess password. In the admin.php file, I have this:

$adminMode = true;
require_once 'main_page.php';

The $adminMode variable is never passed via a POST or GET and every administrator function checks the $adminMode variable is true before executing. My question is this: is this method safe?

Loss Of Cache
I have a little script that takes the data from a user filled-in form, and then generates a pdf file with the content. Between the actual filling in of the form and the generation of the pdf file, there is a confirmation screen where the user sees the values he/she is submitting and confirms wether they are right or not.

The problem is that if they spot an error and go back to the form (using the back button), they get a message saying that the page contains POSTDATA that has expired from cache etc... and when they get the form back, it is blank.

Session Loss
I've been searching for a long time, but couldn't come up with a
solution or a clue, so I submit my case to your attention :

1. On a Windows client, an application creates a temporary htm file and
opens it with IE 6. This file only contains a redirection instruction
to an outside URL :

<META HTTP-EQUIV=Refresh
CONTENT="0;url=http:/my.url.com/?params=zdazdazda">

2. once I navigate at this adress, everything is fine until the site
opens a pop-up window, I close it _and_ try to follow another link
(still inside the site) : the client loses the session reference

On the server side, PHP based, the file containing the session data
still exists in /tmp.

What I can do :
- update the temporary htm file
- modify the php files
What I can't do :
- skip the Windows app.
- use another browser

My config :
client : WinXP SP2 + IE 6.0.2800
server : L.A.M.P.

One Way Crypt And Password Loss
How can I send a user's password by e-mail if I use one way crypting features like MD5 or Crypt?

Form Data Loss
I have recently started experiencing form data loss. Here is an
example:

====test_form1.php====

<form method="POST" action="test_form2.php">
<input name="textboxvalue" type="text" size="20">
<br>
<input type="submit" value="Submit">
</form>

======================

====test_form2.php====
<?
echo "textboxvalue: ".$textboxvalue;
?>
======================

(note: these are incomplete examples, I have left out the <html> tags
for example)

After putting in data into the textboxvalue textbox and pressing the
submit button, on the second page only "textboxvalue: " is displayed.
The weird thing is that when I restart my computer, this works fine,
but then stops working again. These pages are encrypted with 128 SSL
encryption (mod_SSL 2.8.15).

This problem has plagued an online app that I am developing and is a
company-wide problem that happens on computers in other offices too.

Here's my info:

SERVER
Apache 1.3.28
PHP 4.3.6
MySQL 3.23.39
mod_SSL 2.8.15
phpMyAdmin 2.50

CLIENT
Windows XP Pro
Internet Explorer 6.0.28