I have a single application for which I need the SHELL_EXEC command. Current php.ini blocks this within the disable_functions directive:-

disable_functions = system, exec, shell_exec, popen....

The manual tells me that this is unaffected by PHP's safe_mode directive, so it appears I cannot override this disable_function by switching safe_mode on and putting my script which needs SHELL_EXEC into a dedicated directory and set the safe_mode_include_dir to point to it.

My interpretation of the manual leads me to think that I would need to do the following:-

1. Remove SHELL_EXEC from the disable_functions directive
2. Turn SAFE_MODE on.
3. Put my script in a directory and set that directory in safe_mode_include_dir

Does anyone have any experience of doing this and does it sound right to you? Any major security issues that I should be worried about (other than in my own script using SHELL_EXEC of which I'm of course aware) ?

My usual security policy is to never allow anything to break out to shell and to just design applications in a way that they don't need to. Unfortuntately in this case I'm stuck with needing to do just that, so what I want to ensure I do is to mitigate any risk as much as is possible.

Thanks!