allow_url_fopen is a PHP_INI_SYSTEM flag, meens you can't change it with
.htaccess
- mike
Unknown W. Brackets wrote:
Why not simply disable allow_url_fopen on your server or servers?
With it set off, you get these errors:
Warning: main() [function.main]: URL file-access is disabled in the
server configuration in .../test.php on line 3
Warning: main(http://www.google.com/) [function.main]: failed to open
stream: no suitable wrapper could be found in .../test.php on line 3
Warning: main() [function.include]: Failed opening
'http://www.google.com/' for inclusion (include_path='.') in
.../test.php on line 3
Now, yes, some scripts work better with that setting on, but it is
*the* setting to disable if you're worried about naive programmers.
You can even allow them to turn it back on with Apache's .htaccess.
-[Unknown]
I believe that the 'include' operator is intrinsically harmful. As
evidence I introduce three exhibits: Google for "php security flaw".
The very first page you find will explain how a very common use of
'include' is insecure. As the second bit of evidence, I introduce the
fact both of the naive php programmers working on my server introduced
this security flaw in separate web pages. As the third bit of
evidence, I point out that crackers have created security tools
designed specifically to exploit this flaw.
--
mike peter bretz metropolis ag / entwicklung
email: [EMAIL PROTECTED] heinestraße 72
phone: +49-7121-348-120 d-72762 reutlingen
fax: +49-7121-348-111 http://www.metropolis-ag.de/
metropolis ag. creating social internetworks.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
