Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
We have a couple of developers asking for allow_url_fopen to be enabled on our server. What’s the norm these days and if libcurl is enabled is there really any good reason to allow?
Environment is: Windows 2003, PHP 5.2.6, FastCGI
You definitely want
allow_url_includeset to Off, which mitigates many of the risks ofallow_url_fopenas well.But because not all versions of PHP have
allow_url_include, best practice for many is to turn off fopen. Like with all features, the reality is that if you don’t need it for your application, disable it. If you do need it, the curl module probably can do it better, and refactoring your application to use curl to disableallow_url_fopenmay deter the least determined cracker.