...

View Full Version : what is the security risk for enabling "allow_url_include" in php.ini on the server ?



crazy.works
03-26-2010, 01:19 PM
Hello, iam coding new php script, i need to use the url include inside that script, so i have to enable 'allow_url_include = On' in the 'php.ini' file on the Apache server....and that makes me wondering about those 2 important questions !!
1. what is the security risk for the server after enabling this function ??
2. what is the security risk for my php script after enabling this function and using it inside my script like:-
include('http://another-site.com/file.php');

thanks

tomws
03-26-2010, 02:29 PM
My signature is a good place to start. This link (http://blog.php-security.org/archives/45-PHP-5.2.0-and-allow_url_include.html) is one of the results returned.

xconspirisist
03-30-2010, 09:00 PM
This really is quite a big security risk because if somebody else changes that file, your code can easily become vulnerable.

It is likely that there is a more secure way of doing what you want, could you be more specific as to your problem?



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum