Allow url fopen Has been turned off

Allow url fopen Has been turned off

Postby kevin » Mon May 01, 2006 1:37 pm

The allow_url_fopen is now set to off on all our servers to increase security.

allow_url_fopen allows a programmer to open/include a remote file using a url rather than a local file path.
You can still use this function in the form of cURL library.

Many programmers include files by pointing to remote url, even if the file is on the local system.

For example:

<?php include("http://example.com/includes/example_include.php"); ?>

With allow_url_fopen set to Off, this method will no longer work. Instead, the file must be included with the local path by doing either one the following three methods:

1. Using relative path, such as ../includes/example_include.php
2. Using absolute path, such as /home/username/public_html/includes/exampe_include.php
3. Using PHP environment variable $_SERVER['DOCUMENT_ROOT'], which returns the absolute path to the web root directory.
For example:

<?php include($_SERVER['DOCUMENT_ROOT']."/includes/example_include.php"); ?>

Passing Variables to an include file:

It is worth mentioning that the alternative solutions presented here will result in a difference in the way the include() function is handled. The alternative solutions all return the PHP code from the included page; however, the now-unavailable remote URL method returns the result from the included page. One result of this behavior is that you cannot pass a querystring using the alternative solutions. You define the variables locally before performing the include.

For example:

<?php include("http://example.com/includes/example_include.php?var=example"); ?>

must be changed to:

<?php
$var = "example";
include($_SERVER['DOCUMENT_ROOT']."/includes/example_include.php");
?>

For maximum flexibility when using multiple includes, it's easier to create a variable:

<?php
$doc_root = $_SERVER['DOCUMENT_ROOT'];
include("$doc_root/includes/example_include.php");
include("$doc_root/includes/example_include2.php");
include("$doc_root/includes/example_include3.php");
include("$doc_root/includes/example_include4.php");
?>

Note: The technique works in the same way, regardless of whether you are using include() or require().
kevin
CWH Staff
 
Posts: 245
Joined: Mon Dec 13, 2004 12:48 pm
Location: Vancouver, BC

Postby AdMan » Wed Jul 26, 2006 12:53 pm

We're trying to run a php file that accesses a php file system from a suppliers website.

With allow_url_fopen turned off, there doesn't seem to be a way to access their php files. Is there any other way to access a php script from our suppliers server? We're simply trying to transfer data, but it must be calculated on their server.
Website marketing ebooks & software
http://www.express-marketing.com
AdMan
 
Posts: 10
Joined: Tue Jan 17, 2006 6:46 pm

Postby kevin » Thu Jul 27, 2006 2:09 pm

If you absolutely must require this option and this is no way around this, we do have one server that allows for this.

Email our tech support and we'll move you to that server.
kevin
CWH Staff
 
Posts: 245
Joined: Mon Dec 13, 2004 12:48 pm
Location: Vancouver, BC

Postby kevin » Sat Sep 09, 2006 5:30 pm

Update: Since the Tipping Point Instrusion System blocks remote malicious php include, we can turn this feature on again.
kevin
CWH Staff
 
Posts: 245
Joined: Mon Dec 13, 2004 12:48 pm
Location: Vancouver, BC

Postby kevin » Thu Jan 04, 2007 3:13 pm

Update: Although Tipping Point blocks the majority of these exploits, it doesn't block all. Unfortunately, we can no longer support allow_url_fopen on our servers. The risk is too high with this option turned on.
kevin
CWH Staff
 
Posts: 245
Joined: Mon Dec 13, 2004 12:48 pm
Location: Vancouver, BC


Return to PHP

Who is online

Users browsing this forum: Bing [Bot] and 0 guests

cron