Kaushal Shriyan wrote:
Hi,

I have enabled allow_url_fopen & allow_url_include in php.ini file.
is it a security issue ?

allow_url_fopen means you can fetch pages:

$page = file_get_contents('http://www.example.com');

This is ok to enable - all it does is fetch the page. It does not execute the code it retrieved.


allow_url_include means you can remotely include code as if it was on your server:

include('http://www.example.com/page.html');

That means if http://www.example.com/page.html includes any php code, it will be executed on your server - this one definitely is a security consideration.

If you enable allow_url_include be very careful about what you include.

If you're still not sure, enable url_fopen, do not enable url_include.

--
Postgresql & php tutorials
http://www.designmagick.com/


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to