Home » Php » Why does PHP consider it "unsafe" to use system time zone?

Why does PHP consider it "unsafe" to use system time zone?

Posted by: admin July 12, 2020 Leave a comment


PHP manual says:

Since PHP 5.1.0 (when the date/time functions were rewritten), every call to a date/time function will generate a E_NOTICE if the timezone isn’t valid, and/or a E_WARNING message if using the system settings or the TZ environment variable.

What security concerns come from using default system time zone?

Why does PHP consider it unsafe?

How to&Answers:

I believe it is less of a worry of security issues (at least directly) using the local system timezone and more of issues reliably determining the system timezone at all. The solution, that gave you the message you are seeing, is based on the established coding convention that it’s better to be explicit.

From my understanding, PHP devs have run into bugs in some underlying operating systems that had prevented reliable timezone detection in the past. The solution (after trying several) was to explicitly specify the timezone PHP should be working with.

As far as being unsafe, I believe there are a lot of scenarios where a faulty timezone could cause security issues for your application, even if not directly. Everything from transaction timestamps to session management in a multi-datacenter environment.