Re: [PHP] allow_url_fopen & allow_url_include

2009-03-03 Thread Chris 



allow_url_fopen is not a security issue - it only returns the code,
it does not execute it.

But yes you can use curl instead of relying on allow_url_fopen.


Well,  allow_url_fopen is really a security issue. A renowned programmer 
(http://hasin.wordpress.com) said it could even cause DoS(Denial of 
Service) for the running server.


So can curl.

--
Postgresql & php tutorials
http://www.designmagick.com/


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] allow_url_fopen & allow_url_include

2009-03-03 Thread 9el 
---
Use FreeOpenSourceSoftwares, Stop piracy, Let the developers live. Get
a Free CD of Ubuntu mailed to your door without any cost. Visit :
www.ubuntu.com
--


On Wed, Mar 4, 2009 at 3:26 AM, Chris  wrote:

> Kaushal Shriyan wrote:
>
>> On Tue, Mar 3, 2009 at 12:21 PM, Kaushal Shriyan <
>> kaushalshri...@gmail.com > wrote:
>>
>>On Tue, Mar 3, 2009 at 11:52 AM, Chris > - Show quoted text -
>>> wrote:
>>
>>Kaushal Shriyan wrote:
>>
>>Hi,
>>
>>I have enabled allow_url_fopen & allow_url_include in
>>php.ini file.
>>is it a security issue ?
>>
>>
>>allow_url_fopen means you can fetch pages:
>>
>>$page = file_get_contents('http://www.example.com');
>>
>>This is ok to enable - all it does is fetch the page. It does
>>not execute the code it retrieved.
>>
>>
>>allow_url_include means you can remotely include code as if it
>>was on your server:
>>
>>include('http://www.example.com/page.html'
>>);
>>
>>That means if http://www.example.com/page.html includes any php
>>code, it will be executed on your server - this one definitely
>>is a security consideration.
>>
>>If you enable allow_url_include be very careful about what you
>>include.
>>
>>If you're still not sure, enable url_fopen, do not enable
>>url_include.
>>
>>--Postgresql & php tutorials
>>http://www.designmagick.com/
>>
>>Thanks Chris :-)
>>
>>Kaushal
>>
>> Hi Chris
>>
>> Can i use curl option to php to take care of the security issue so that i
>> can disable  both allow_url_fopen & allow_url_include in php.ini file.
>>
>
> allow_url_include is a security issue because it will actually execute the
> code returned from the url (like an 'include' or 'require' does locally).
>
> allow_url_fopen is not a security issue - it only returns the code, it does
> not execute it.
>
> But yes you can use curl instead of relying on allow_url_fopen.


Well,  allow_url_fopen is really a security issue. A renowned programmer (
http://hasin.wordpress.com) said it could even cause DoS(Denial of Service)
for the running server.

Read  Chris Shiflett's blog http://shiflett.org/

http://sitepoint.com/article/php-security-blunders

http://phpsec.org/projects/guide/

Regards

Lenin

www.twitter.com/nine_L


>
> --
> Postgresql & php tutorials
> http://www.designmagick.com/
>
>
> - Show quoted text -
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

Re: [PHP] allow_url_fopen & allow_url_include

2009-03-03 Thread Chris 

Kaushal Shriyan wrote:
On Tue, Mar 3, 2009 at 12:21 PM, Kaushal Shriyan 
mailto:kaushalshri...@gmail.com>> wrote:


On Tue, Mar 3, 2009 at 11:52 AM, Chris mailto:dmag...@gmail.com>> wrote:

Kaushal Shriyan wrote:

Hi,

I have enabled allow_url_fopen & allow_url_include in
php.ini file.
is it a security issue ?


allow_url_fopen means you can fetch pages:

$page = file_get_contents('http://www.example.com');

This is ok to enable - all it does is fetch the page. It does
not execute the code it retrieved.


allow_url_include means you can remotely include code as if it
was on your server:

include('http://www.example.com/page.html'
);

That means if http://www.example.com/page.html includes any php
code, it will be executed on your server - this one definitely
is a security consideration.

If you enable allow_url_include be very careful about what you
include.

If you're still not sure, enable url_fopen, do not enable
url_include.

-- 
Postgresql & php tutorials

http://www.designmagick.com/

Thanks Chris :-)

Kaushal

Hi Chris

Can i use curl option to php to take care of the security issue so that 
i can disable  both allow_url_fopen & allow_url_include in php.ini file.


allow_url_include is a security issue because it will actually execute 
the code returned from the url (like an 'include' or 'require' does 
locally).


allow_url_fopen is not a security issue - it only returns the code, it 
does not execute it.


But yes you can use curl instead of relying on allow_url_fopen.

--
Postgresql & php tutorials
http://www.designmagick.com/


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] allow_url_fopen & allow_url_include

2009-03-02 Thread Kaushal Shriyan 
On Tue, Mar 3, 2009 at 12:21 PM, Kaushal Shriyan
wrote:

> On Tue, Mar 3, 2009 at 11:52 AM, Chris  wrote:
>
>> Kaushal Shriyan wrote:
>>
>>> Hi,
>>>
>>> I have enabled allow_url_fopen & allow_url_include in php.ini file.
>>> is it a security issue ?
>>>
>>
>> allow_url_fopen means you can fetch pages:
>>
>> $page = file_get_contents('http://www.example.com');
>>
>> This is ok to enable - all it does is fetch the page. It does not execute
>> the code it retrieved.
>>
>>
>> allow_url_include means you can remotely include code as if it was on your
>> server:
>>
>> include('http://www.example.com/page.html'
>> );
>>
>> That means if http://www.example.com/page.html includes any php code, it
>> will be executed on your server - this one definitely is a security
>> consideration.
>>
>> If you enable allow_url_include be very careful about what you include.
>>
>> If you're still not sure, enable url_fopen, do not enable url_include.
>>
>> --
>> Postgresql & php tutorials
>> http://www.designmagick.com/
>>
>> Thanks Chris :-)
>
> Kaushal
>
Hi Chris

Can i use curl option to php to take care of the security issue so that i
can disable  both allow_url_fopen & allow_url_include in php.ini file.

Please suggest

Thanks and Regards

Kaushal

Re: [PHP] allow_url_fopen & allow_url_include

2009-03-02 Thread Kaushal Shriyan 
On Tue, Mar 3, 2009 at 11:52 AM, Chris  wrote:

> Kaushal Shriyan wrote:
>
>> Hi,
>>
>> I have enabled allow_url_fopen & allow_url_include in php.ini file.
>> is it a security issue ?
>>
>
> allow_url_fopen means you can fetch pages:
>
> $page = file_get_contents('http://www.example.com');
>
> This is ok to enable - all it does is fetch the page. It does not execute
> the code it retrieved.
>
>
> allow_url_include means you can remotely include code as if it was on your
> server:
>
> include('http://www.example.com/page.html'
> );
>
> That means if http://www.example.com/page.html includes any php code, it
> will be executed on your server - this one definitely is a security
> consideration.
>
> If you enable allow_url_include be very careful about what you include.
>
> If you're still not sure, enable url_fopen, do not enable url_include.
>
> --
> Postgresql & php tutorials
> http://www.designmagick.com/
>
> Thanks Chris :-)

Kaushal

Re: [PHP] allow_url_fopen & allow_url_include

2009-03-02 Thread Chris 

Kaushal Shriyan wrote:

Hi,

I have enabled allow_url_fopen & allow_url_include in php.ini file.
is it a security issue ?


allow_url_fopen means you can fetch pages:

$page = file_get_contents('http://www.example.com');

This is ok to enable - all it does is fetch the page. It does not 
execute the code it retrieved.



allow_url_include means you can remotely include code as if it was on 
your server:


include('http://www.example.com/page.html');

That means if http://www.example.com/page.html includes any php code, it 
will be executed on your server - this one definitely is a security 
consideration.


If you enable allow_url_include be very careful about what you include.

If you're still not sure, enable url_fopen, do not enable url_include.

--
Postgresql & php tutorials
http://www.designmagick.com/


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php