On Tue, Mar 3, 2009 at 12:21 PM, Kaushal Shriyan
<kaushalshriyan@xxxxxxxxx>wrote:
> On Tue, Mar 3, 2009 at 11:52 AM, Chris <dmagick@xxxxxxxxx> wrote:
>
>> Kaushal Shriyan wrote:
>>
>>> Hi,
>>>
>>> I have enabled allow_url_fopen & allow_url_include in php.ini file.
>>> is it a security issue ?
>>>
>>
>> allow_url_fopen means you can fetch pages:
>>
>> $page = file_get_contents('http://www.example.com');
>>
>> This is ok to enable - all it does is fetch the page. It does not execute
>> the code it retrieved.
>>
>>
>> allow_url_include means you can remotely include code as if it was on your
>> server:
>>
>> include('http://www.example.com/page.html'<http://www.example.com/page.html%27>
>> );
>>
>> That means if http://www.example.com/page.html includes any php code, it
>> will be executed on your server - this one definitely is a security
>> consideration.
>>
>> If you enable allow_url_include be very careful about what you include.
>>
>> If you're still not sure, enable url_fopen, do not enable url_include.
>>
>> --
>> Postgresql & php tutorials
>> http://www.designmagick.com/
>>
>> Thanks Chris :-)
>
> Kaushal
>
Hi Chris
Can i use curl option to php to take care of the security issue so that i
can disable both allow_url_fopen & allow_url_include in php.ini file.
Please suggest
Thanks and Regards
Kaushal
