rfc:drop_sql.safe_mode

Request for Comments: Drop sql.safe_mode php.ini setting

Introduction

sql.safe_mode is a very old feature of PHP, not really maintained and barely understood. The documentation claims on http://php.net/manual/en/ini.core.php#ini.sql.safe-mode

  If turned on, database connect functions that specify default values will
  use those values in place of supplied arguments. For default values see
  connect function documentation for the relevant database. 

The documentation of the individual extensions gives no further details.

Source-based feature analysis

According to a grep this setting is only used by the classic mysql and interbase extensions.

With the classic mysql extension sql.save_mode will throw an E_NOTICE and override the user provided connection settings and use php_get_current_user() (the owner of the executed main script) as mySQL user and mysql default host/password, ignoring values provided by php.ini. This makes this feature unusable onsystems where the mysql socket is not located at /tmp/mysql.sock.

With interbase it will allow any username/password but (silently) override the selected database using a value provided by php.ini. Additionally it will throw an error in case a CREATE DATABASE statement is detected.

Other extensions (notably mysqli, PDO, pgsql, oci) don't respect that setting in any way. There is one request to extend it to mysqli.

Proposal and Patch

The proposal is to drop PG(sql_safe_mode) and references to sql.safe_mode from the source. A straight-forward patch will be created and committed if this RFC is accepted.

Reasoning

This global setting has very different behavior with the two supported extensions. For using this feature with mysql one has to create a password-less MySQL account which opens attack vectors for users with any form of access to the machine.

Changelog

rfc/drop_sql.safe_mode.txt · Last modified: 2014/04/09 01:00 by levim