On Tue, Mar 3, 2009 at 11:52 AM, Chris <dmagick@xxxxxxxxx> wrote:
> Kaushal Shriyan wrote:
>
>> Hi,
>>
>> I have enabled allow_url_fopen & allow_url_include in php.ini file.
>> is it a security issue ?
>>
>
> allow_url_fopen means you can fetch pages:
>
> $page = file_get_contents('http://www.example.com');
>
> This is ok to enable - all it does is fetch the page. It does not execute
> the code it retrieved.
>
>
> allow_url_include means you can remotely include code as if it was on your
> server:
>
> include('http://www.example.com/page.html'<http://www.example.com/page.html%27>
> );
>
> That means if http://www.example.com/page.html includes any php code, it
> will be executed on your server - this one definitely is a security
> consideration.
>
> If you enable allow_url_include be very careful about what you include.
>
> If you're still not sure, enable url_fopen, do not enable url_include.
>
> --
> Postgresql & php tutorials
> http://www.designmagick.com/
>
> Thanks Chris :-)
Kaushal
