View Full Version : what is the security risk for enabling "allow_url_include" in php.ini on the server ?

03-26-2010, 02:19 PM
Hello, iam coding new php script, i need to use the url include inside that script, so i have to enable 'allow_url_include = On' in the 'php.ini' file on the Apache server....and that makes me wondering about those 2 important questions !!
1. what is the security risk for the server after enabling this function ??
2. what is the security risk for my php script after enabling this function and using it inside my script like:-


03-26-2010, 03:29 PM
My signature is a good place to start. This link (http://blog.php-security.org/archives/45-PHP-5.2.0-and-allow_url_include.html) is one of the results returned.

03-30-2010, 10:00 PM
This really is quite a big security risk because if somebody else changes that file, your code can easily become vulnerable.

It is likely that there is a more secure way of doing what you want, could you be more specific as to your problem?