Turning off php4 safe mode - what to consider?

Question

I'm maintaining a website running a highly modified old version of osCommerce. My web host offers several flavours of PHP on a per-domain basis (although I think I recall seeing an option to set the PHP version per-directory). Those are PHP4 safe mode, PHP4 CGI, and PHP5 CGI.

I am currently running PHP4 in safe mode. It has turned out that, if I want to add a module (gettext), I need to be in any of the other two modes. Is there reason to be afraid of turning safe mode?

Answer 1

Really you want to migrate to PHP 5 ASAP.

The big differences between PHP4 and 5 are with the OO features - a quick grep of your code for OO keywords (new, class) will give you an idea of how big your task is.

Also, off-the-shelf applications (particularly unpatched ones) can be a big security risk - you should definitely be thinking about how to separate the mods from standard code distribution of osCommerce.

As to switching off safe-mode - the big question is whether this is on a shared host or not. If it's a dedicated host then there's nothing much to be concerned about - but do restrict PHP file access to the webserver document tree, include paths and any data dirs (including the session dir). If it's not a dedicated host, then you should also be looking for detailled information from your hosting company on how the sites are isolated from each other.