On Tue, Mar 3, 2009 at 11:52 AM, Chris <dmagick@xxxxxxxxx> wrote: > Kaushal Shriyan wrote: > >> Hi, >> >> I have enabled allow_url_fopen & allow_url_include in php.ini file. >> is it a security issue ? >> > > allow_url_fopen means you can fetch pages: > > $page = file_get_contents('http://www.example.com'); > > This is ok to enable - all it does is fetch the page. It does not execute > the code it retrieved. > > > allow_url_include means you can remotely include code as if it was on your > server: > > include('http://www.example.com/page.html'<http://www.example.com/page.html%27> > ); > > That means if http://www.example.com/page.html includes any php code, it > will be executed on your server - this one definitely is a security > consideration. > > If you enable allow_url_include be very careful about what you include. > > If you're still not sure, enable url_fopen, do not enable url_include. > > -- > Postgresql & php tutorials > http://www.designmagick.com/ > > Thanks Chris :-) Kaushal