Re: allow_url_fopen & allow_url_include

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Mar 3, 2009 at 11:52 AM, Chris <dmagick@xxxxxxxxx> wrote:

> Kaushal Shriyan wrote:
>
>> Hi,
>>
>> I have enabled allow_url_fopen & allow_url_include in php.ini file.
>> is it a security issue ?
>>
>
> allow_url_fopen means you can fetch pages:
>
> $page = file_get_contents('http://www.example.com');
>
> This is ok to enable - all it does is fetch the page. It does not execute
> the code it retrieved.
>
>
> allow_url_include means you can remotely include code as if it was on your
> server:
>
> include('http://www.example.com/page.html'<http://www.example.com/page.html%27>
> );
>
> That means if http://www.example.com/page.html includes any php code, it
> will be executed on your server - this one definitely is a security
> consideration.
>
> If you enable allow_url_include be very careful about what you include.
>
> If you're still not sure, enable url_fopen, do not enable url_include.
>
> --
> Postgresql & php tutorials
> http://www.designmagick.com/
>
> Thanks Chris :-)

Kaushal

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux