Canadian Webhosting Forums

[kevin]

The allow_url_fopen is now set to off on all our servers to increase security.

allow_url_fopen allows a programmer to open/include a remote file using a url rather than a local file path.
You can still use this function in the form of cURL library.

Many programmers include files by pointing to remote url, even if the file is on the local system.

For example:

<?php include("http://example.com/includes/example_include.php"); ?>

With allow_url_fopen set to Off, this method will no longer work. Instead, the file must be included with the local path by doing either one the following three methods:

1. Using relative path, such as ../includes/example_include.php
2. Using absolute path, such as /home/username/public_html/includes/exampe_include.php
3. Using PHP environment variable $_SERVER['DOCUMENT_ROOT'], which returns the absolute path to the web root directory.
For example:

<?php include($_SERVER['DOCUMENT_ROOT']."/includes/example_include.php"); ?>

Passing Variables to an include file:

It is worth mentioning that the alternative solutions presented here will result in a difference in the way the include() function is handled. The alternative solutions all return the PHP code from the included page; however, the now-unavailable remote URL method returns the result from the included page. One result of this behavior is that you cannot pass a querystring using the alternative solutions. You define the variables locally before performing the include.

For example:

<?php include("http://example.com/includes/example_include.php?var=example"); ?>

must be changed to:

<?php
$var = "example";
include($_SERVER['DOCUMENT_ROOT']."/includes/example_include.php");
?>

For maximum flexibility when using multiple includes, it's easier to create a variable:

<?php
$doc_root = $_SERVER['DOCUMENT_ROOT'];
include("$doc_root/includes/example_include.php");
include("$doc_root/includes/example_include2.php");
include("$doc_root/includes/example_include3.php");
include("$doc_root/includes/example_include4.php");
?>

Note: The technique works in the same way, regardless of whether you are using include() or require().

[AdMan]

We're trying to run a php file that accesses a php file system from a suppliers website.

With allow_url_fopen turned off, there doesn't seem to be a way to access their php files. Is there any other way to access a php script from our suppliers server? We're simply trying to transfer data, but it must be calculated on their server.

[kevin]

If you absolutely must require this option and this is no way around this, we do have one server that allows for this.

Email our tech support and we'll move you to that server.

[kevin]

Update: Since the Tipping Point Instrusion System blocks remote malicious php include, we can turn this feature on again.

[kevin]

Update: Although Tipping Point blocks the majority of these exploits, it doesn't block all. Unfortunately, we can no longer support allow_url_fopen on our servers. The risk is too high with this option turned on.