Re: [PHP] allow_url_fopen allow_url_include
Kaushal Shriyan wrote:
On Tue, Mar 3, 2009 at 12:21 PM, Kaushal Shriyan
kaushalshri...@gmail.com mailto:kaushalshri...@gmail.com wrote:
On Tue, Mar 3, 2009 at 11:52 AM, Chris dmag...@gmail.com
mailto:dmag...@gmail.com wrote:
Kaushal Shriyan wrote:
Hi,
I have enabled allow_url_fopen allow_url_include in
php.ini file.
is it a security issue ?
allow_url_fopen means you can fetch pages:
$page = file_get_contents('http://www.example.com');
This is ok to enable - all it does is fetch the page. It does
not execute the code it retrieved.
allow_url_include means you can remotely include code as if it
was on your server:
include('http://www.example.com/page.html'
http://www.example.com/page.html%27);
That means if http://www.example.com/page.html includes any php
code, it will be executed on your server - this one definitely
is a security consideration.
If you enable allow_url_include be very careful about what you
include.
If you're still not sure, enable url_fopen, do not enable
url_include.
--
Postgresql php tutorials
http://www.designmagick.com/
Thanks Chris :-)
Kaushal
Hi Chris
Can i use curl option to php to take care of the security issue so that
i can disable both allow_url_fopen allow_url_include in php.ini file.
allow_url_include is a security issue because it will actually execute
the code returned from the url (like an 'include' or 'require' does
locally).
allow_url_fopen is not a security issue - it only returns the code, it
does not execute it.
But yes you can use curl instead of relying on allow_url_fopen.
--
Postgresql php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] allow_url_fopen allow_url_include
---
Use FreeOpenSourceSoftwares, Stop piracy, Let the developers live. Get
a Free CD of Ubuntu mailed to your door without any cost. Visit :
www.ubuntu.com
--
On Wed, Mar 4, 2009 at 3:26 AM, Chris dmag...@gmail.com wrote:
Kaushal Shriyan wrote:
On Tue, Mar 3, 2009 at 12:21 PM, Kaushal Shriyan
kaushalshri...@gmail.com mailto:kaushalshri...@gmail.com wrote:
On Tue, Mar 3, 2009 at 11:52 AM, Chris dmag...@gmail.com
- Show quoted text -
mailto:dmag...@gmail.com wrote:
Kaushal Shriyan wrote:
Hi,
I have enabled allow_url_fopen allow_url_include in
php.ini file.
is it a security issue ?
allow_url_fopen means you can fetch pages:
$page = file_get_contents('http://www.example.com');
This is ok to enable - all it does is fetch the page. It does
not execute the code it retrieved.
allow_url_include means you can remotely include code as if it
was on your server:
include('http://www.example.com/page.html'
http://www.example.com/page.html%27);
That means if http://www.example.com/page.html includes any php
code, it will be executed on your server - this one definitely
is a security consideration.
If you enable allow_url_include be very careful about what you
include.
If you're still not sure, enable url_fopen, do not enable
url_include.
--Postgresql php tutorials
http://www.designmagick.com/
Thanks Chris :-)
Kaushal
Hi Chris
Can i use curl option to php to take care of the security issue so that i
can disable both allow_url_fopen allow_url_include in php.ini file.
allow_url_include is a security issue because it will actually execute the
code returned from the url (like an 'include' or 'require' does locally).
allow_url_fopen is not a security issue - it only returns the code, it does
not execute it.
But yes you can use curl instead of relying on allow_url_fopen.
Well, allow_url_fopen is really a security issue. A renowned programmer (
http://hasin.wordpress.com) said it could even cause DoS(Denial of Service)
for the running server.
Read Chris Shiflett's blog http://shiflett.org/
http://sitepoint.com/article/php-security-blunders
http://phpsec.org/projects/guide/
Regards
Lenin
www.twitter.com/nine_L
--
Postgresql php tutorials
http://www.designmagick.com/
- Show quoted text -
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] allow_url_fopen allow_url_include
allow_url_fopen is not a security issue - it only returns the code, it does not execute it. But yes you can use curl instead of relying on allow_url_fopen. Well, allow_url_fopen is really a security issue. A renowned programmer (http://hasin.wordpress.com) said it could even cause DoS(Denial of Service) for the running server. So can curl. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] allow_url_fopen allow_url_include
Hi, I have enabled allow_url_fopen allow_url_include in php.ini file. is it a security issue ? please help me understand about its implications. Thanks and Regards Kaushal
Re: [PHP] allow_url_fopen allow_url_include
Kaushal Shriyan wrote:
Hi,
I have enabled allow_url_fopen allow_url_include in php.ini file.
is it a security issue ?
allow_url_fopen means you can fetch pages:
$page = file_get_contents('http://www.example.com');
This is ok to enable - all it does is fetch the page. It does not
execute the code it retrieved.
allow_url_include means you can remotely include code as if it was on
your server:
include('http://www.example.com/page.html');
That means if http://www.example.com/page.html includes any php code, it
will be executed on your server - this one definitely is a security
consideration.
If you enable allow_url_include be very careful about what you include.
If you're still not sure, enable url_fopen, do not enable url_include.
--
Postgresql php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] allow_url_fopen allow_url_include
On Tue, Mar 3, 2009 at 11:52 AM, Chris dmag...@gmail.com wrote:
Kaushal Shriyan wrote:
Hi,
I have enabled allow_url_fopen allow_url_include in php.ini file.
is it a security issue ?
allow_url_fopen means you can fetch pages:
$page = file_get_contents('http://www.example.com');
This is ok to enable - all it does is fetch the page. It does not execute
the code it retrieved.
allow_url_include means you can remotely include code as if it was on your
server:
include('http://www.example.com/page.html'http://www.example.com/page.html%27
);
That means if http://www.example.com/page.html includes any php code, it
will be executed on your server - this one definitely is a security
consideration.
If you enable allow_url_include be very careful about what you include.
If you're still not sure, enable url_fopen, do not enable url_include.
--
Postgresql php tutorials
http://www.designmagick.com/
Thanks Chris :-)
Kaushal
Re: [PHP] allow_url_fopen allow_url_include
On Tue, Mar 3, 2009 at 12:21 PM, Kaushal Shriyan
kaushalshri...@gmail.comwrote:
On Tue, Mar 3, 2009 at 11:52 AM, Chris dmag...@gmail.com wrote:
Kaushal Shriyan wrote:
Hi,
I have enabled allow_url_fopen allow_url_include in php.ini file.
is it a security issue ?
allow_url_fopen means you can fetch pages:
$page = file_get_contents('http://www.example.com');
This is ok to enable - all it does is fetch the page. It does not execute
the code it retrieved.
allow_url_include means you can remotely include code as if it was on your
server:
include('http://www.example.com/page.html'http://www.example.com/page.html%27
);
That means if http://www.example.com/page.html includes any php code, it
will be executed on your server - this one definitely is a security
consideration.
If you enable allow_url_include be very careful about what you include.
If you're still not sure, enable url_fopen, do not enable url_include.
--
Postgresql php tutorials
http://www.designmagick.com/
Thanks Chris :-)
Kaushal
Hi Chris
Can i use curl option to php to take care of the security issue so that i
can disable both allow_url_fopen allow_url_include in php.ini file.
Please suggest
Thanks and Regards
Kaushal
