Hello Grregorr,

Do you mean the actual readfile function? Is there a piece of code that you are worried about? I have to admit I am not quite understanding the question.

Maybe a little more info?

Yes, I meant the readfile function. Something like:

redafile ("textfile.txt");

will not work any more.

Grregorr,

Could you not open the file for read access, and then loop through the file reading it into a variable until you've reached the end?

You could also try:

$File = `cat /path/to/file`;
print "$File";

But I think the backticks are disabled when safe mode is on. Maybe passthru() would be what you're looking for in this case.

NickKoons,

I do not quite understand your post, I guess my knowledge of PHP is too superficial. Up to now I used readfile function in two ways. Either explicitly placing text files to create a parts of pages, say a footer common to all pages.

readfile ("footer.txt");

And in the second instance I used a variable from the url (somethinng like: script.php?input=articletitle). The script first checked the validity of $input value and then readfile was used in the following manner

readfile ("directoryname/$input.txt");

But now in the safe mode these readfiles do not work any more.

Sounds like all you really need to be using is the PHP include function [us4.php.net], Grregorr.

Thanks coopster. It works. Funny I did not try it myself, as I used include function in other scripts.

Just one more question out of curiosity. I cannot see the security benefit of such a change. Someone could still supply an http address with malicious code for the script, and try to load that code for execution on my server. So in other words it seems to me that I have to check the data which is input to the script just the same in both cases.

Yes, always check any user-supplied information.

>> I cannot see the security benefit of such a change.

The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now. ( [us3.php.net...] )

Switch hosting providers or get your own server ;)

Just kidding! But you are talking about some serious analysis as the functions restricted/disabled by safe mode are even unclear to the developers according to this statement [us3.php.net]:

This is a still probably incomplete and possibly incorrect listing of the functions limited by safe mode.

OUCH! Plus, roll down to the bottom of the list there and you find that Any function that uses php4/main/fopen_wrappers.c has LIMITATIONS. Well, I know the readfile function uses fopen_wrappers but I'm not sure if it is only when the file is a URL? What other functions are going to work/not work? I'm not sure -- but how can I be? Even the developers aren't sure as the double question marks confirm the incomplete and possibly incorrect listing!

I really can't answer your question regarding your hosting provider's motive/purpose for SAFE MODE ON. You'll have to ask them. When you get a response from your hosting provider I'd be interested to know why myself. Let us know. Best of luck on the changeover -- coopster

P.S.
There is a User Contributed note on the readfile function [us4.php.net] that starts with

This method does a remote copy WITHOUT the need for "fopen wrappers". If your host
doesn't offer the ability to copy remote files with "readfile", you can use this
one as a workaround.

that you may want to review. I'm not sure if it is going to help you resolve your issue, but only you can decide that.

Grregorr,

<Either explicitly placing text files to create a parts of pages, say a footer common to all pages.>

I thought you were using it to read a file and dump the contents to the user. But from what you're saying, coopster's recommendation to use include() is correct.