allow_url_include is (or should be) disabled by default. http://us2.php.net/manual/en/filesystem.configuration.php#ini.allow-url- include I can't think of one good reason to ever enable this, it would be a security issue no matter how you slice it... -----Original Message----- From: Igor Escobar [mailto:titiolinkin@xxxxxxxxx] Sent: Tuesday, June 08, 2010 10:11 AM To: richgray@xxxxxxxxx Cc: <php-general@xxxxxxxxxxxxx> Subject: Re: Security Issue Hey Richard, I'll find more about this parameter allow_url_include, thank you! Regards, Igor Escobar Systems Analyst & Interface Designer + http://blog.igorescobar.com + http://www.igorescobar.com + @igorescobar (twitter) On Mon, Jun 7, 2010 at 5:26 PM, richard gray <rich@xxxxxxxxxxxx> wrote: > On 07/06/2010 20:00, Igor Escobar wrote: > >> PHP Injection is the technical name given to a security hole in PHP >> applications. When this gap there is a hacker can do with an external code >> that is interpreted as an inner code as if the code included was more a >> part >> of the script. >> >> // my code... >> // my code... >> include ('http://..../externalhackscript.txt'); >> //my code... >> //my code.. >> > can you not switch off remote file includes in php.ini? > This will stop include/require from a remote host.. > i.e. /allow_url_include = Off in php.ini > > HTH > Rich > / > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
