----------------------------------------------------------------------- Use FreeOpenSourceSoftwares, Stop piracy, Let the developers live. Get a Free CD of Ubuntu mailed to your door without any cost. Visit : www.ubuntu.com ---------------------------------------------------------------------- On Wed, Mar 4, 2009 at 3:26 AM, Chris <dmagick@xxxxxxxxx> wrote: > Kaushal Shriyan wrote: > >> On Tue, Mar 3, 2009 at 12:21 PM, Kaushal Shriyan < >> kaushalshriyan@xxxxxxxxx <mailto:kaushalshriyan@xxxxxxxxx>> wrote: >> >> On Tue, Mar 3, 2009 at 11:52 AM, Chris <dmagick@xxxxxxxxx >> - Show quoted text - >> <mailto:dmagick@xxxxxxxxx>> wrote: >> >> Kaushal Shriyan wrote: >> >> Hi, >> >> I have enabled allow_url_fopen & allow_url_include in >> php.ini file. >> is it a security issue ? >> >> >> allow_url_fopen means you can fetch pages: >> >> $page = file_get_contents('http://www.example.com'); >> >> This is ok to enable - all it does is fetch the page. It does >> not execute the code it retrieved. >> >> >> allow_url_include means you can remotely include code as if it >> was on your server: >> >> include('http://www.example.com/page.html' >> <http://www.example.com/page.html%27>); >> >> That means if http://www.example.com/page.html includes any php >> code, it will be executed on your server - this one definitely >> is a security consideration. >> >> If you enable allow_url_include be very careful about what you >> include. >> >> If you're still not sure, enable url_fopen, do not enable >> url_include. >> >> -- Postgresql & php tutorials >> http://www.designmagick.com/ >> >> Thanks Chris :-) >> >> Kaushal >> >> Hi Chris >> >> Can i use curl option to php to take care of the security issue so that i >> can disable both allow_url_fopen & allow_url_include in php.ini file. >> > > allow_url_include is a security issue because it will actually execute the > code returned from the url (like an 'include' or 'require' does locally). > > allow_url_fopen is not a security issue - it only returns the code, it does > not execute it. > > But yes you can use curl instead of relying on allow_url_fopen. Well, allow_url_fopen is really a security issue. A renowned programmer ( http://hasin.wordpress.com) said it could even cause DoS(Denial of Service) for the running server. Read Chris Shiflett's blog http://shiflett.org/ http://sitepoint.com/article/php-security-blunders http://phpsec.org/projects/guide/ Regards Lenin www.twitter.com/nine_L > > -- > Postgresql & php tutorials > http://www.designmagick.com/ > > > - Show quoted text - > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
