http://www.php.net/manual/en/features.remote-files.php
The only time I could ever think of doing include(“http://someotherserver/foo.php“) would be as some sort of weird intra-server service interface, but even then I could think of a million different ways that were safer to accomplish the same thing. Still, my specific question is, has anyone seen remote includes in a production environment and did it make any sense doing so?
Edit:
To clear something up, I would cause physical injury to befall anyone who ever tried to use remote includes in a production environment I worked on… So yes I know this is a nightmarish security hole. Just trying to figure out why its still there versus other weird ideas like magic quotes and global variables.
While I’ve never seen this in real life, I could imagine a farm with separate physical servers with no shared file system. You could possibly have one server with the all the code ie api.domain.com and the other servers include from it. It would make deployments easier if you have tens or hundreds of sepearate sites. But as alex said, it’s asking to be hacked.