Kaushal Shriyan wrote:
On Tue, Mar 3, 2009 at 12:21 PM, Kaushal Shriyan <kaushalshriyan@xxxxxxxxx <mailto:kaushalshriyan@xxxxxxxxx>> wrote:On Tue, Mar 3, 2009 at 11:52 AM, Chris <dmagick@xxxxxxxxx <mailto:dmagick@xxxxxxxxx>> wrote: Kaushal Shriyan wrote: Hi, I have enabled allow_url_fopen & allow_url_include in php.ini file. is it a security issue ? allow_url_fopen means you can fetch pages: $page = file_get_contents('http://www.example.com'); This is ok to enable - all it does is fetch the page. It does not execute the code it retrieved. allow_url_include means you can remotely include code as if it was on your server: include('http://www.example.com/page.html' <http://www.example.com/page.html%27>); That means if http://www.example.com/page.html includes any php code, it will be executed on your server - this one definitely is a security consideration. If you enable allow_url_include be very careful about what you include. If you're still not sure, enable url_fopen, do not enable url_include.-- Postgresql & php tutorialshttp://www.designmagick.com/ Thanks Chris :-) Kaushal Hi ChrisCan i use curl option to php to take care of the security issue so that i can disable both allow_url_fopen & allow_url_include in php.ini file.
allow_url_include is a security issue because it will actually execute the code returned from the url (like an 'include' or 'require' does locally).
allow_url_fopen is not a security issue - it only returns the code, it does not execute it.
But yes you can use curl instead of relying on allow_url_fopen. -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
