Kaushal Shriyan wrote:
On Tue, Mar 3, 2009 at 12:21 PM, Kaushal Shriyan <kaushalshri...@gmail.com <mailto:kaushalshri...@gmail.com>> wrote:


    On Tue, Mar 3, 2009 at 11:52 AM, Chris <dmag...@gmail.com
    <mailto:dmag...@gmail.com>> wrote:

        Kaushal Shriyan wrote:

            Hi,

            I have enabled allow_url_fopen & allow_url_include in
            php.ini file.
            is it a security issue ?


        allow_url_fopen means you can fetch pages:

        $page = file_get_contents('http://www.example.com');

        This is ok to enable - all it does is fetch the page. It does
        not execute the code it retrieved.


        allow_url_include means you can remotely include code as if it
        was on your server:

        include('http://www.example.com/page.html'
        <http://www.example.com/page.html%27>);

        That means if http://www.example.com/page.html includes any php
        code, it will be executed on your server - this one definitely
        is a security consideration.

        If you enable allow_url_include be very careful about what you
        include.

        If you're still not sure, enable url_fopen, do not enable
        url_include.

-- Postgresql & php tutorials
        http://www.designmagick.com/

    Thanks Chris :-)

    Kaushal

Hi Chris

Can i use curl option to php to take care of the security issue so that i can disable both allow_url_fopen & allow_url_include in php.ini file.

allow_url_include is a security issue because it will actually execute the code returned from the url (like an 'include' or 'require' does locally).

allow_url_fopen is not a security issue - it only returns the code, it does not execute it.

But yes you can use curl instead of relying on allow_url_fopen.

--
Postgresql & php tutorials
http://www.designmagick.com/


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to