URL File-Access


#1

For some reason, a setting has changed in PHP in the last few days… I’ve always been able to use the
file()
file_get_contents()
include()
include_once()
require()
and require_once()

function using other websites as a parameter (For instance, HTTP://google.com). Now, whenever I try to include an external resource location using http://, I receive a fatal error saying that URL File-Access has been disabled.

Anybody know anything about this?


Logical Programming
- Need a website? Programming, Designing, Logo Design, Template Design, and MORE!


#2

They disabled allow_url_fopen a while back. PHP can’t access remote files anymore.

If you want to access files on a different domain or subdomain on your own account, on the same server, you can create a symbolic link to that file and have PHP use that. That’s about all you can do.


#3

How retarded… I will not resubscribe to DreamHost.


Logical Programming
- Need a website? Programming, Designing, Logo Design, Template Design, and MORE!


#4

it’s a security issue, you will probably find that many hosts now have it disabled. With that tag in PHP a hacker can use it to get at your file easly and mess things up good - it may be annoying to work around it, but it’s best in the long run.

If you’re using this with in a script, you may be able to download a new verison that has allready fixed the problem. If you’re usinga custom made script, search this form for previous threads where prople have posted work-arounds.

-Matttail


#5

That would be a stupid decision. The decision to disable allow_url_fopen was carefully considered, and I believe it to be a sound one. The cURL library can accomplish everything you could possibly need, in a far more secure framework.

You will find more information about this issue on the DreamHost Wiki. If you take the time to inform yourself of the issues involved, you will see the sense of the decision.


Simon Jessey
Keystone Websites | si-blog


#6

OH YEAH! cURL… My friend, cURL, I love him…

I haven’t worked with that guy in ages…

All hail the cURL libraries!


Logical Programming
- Need a website? Programming, Designing, Logo Design, Template Design, and MORE!


#7

Out of curiosity, what are the security risks of allowing URL fopen? Just asking because I have it enabled on my sites, and make use of it quite a bit.

The obvious issue would be with a poorly-written script carelessly passing unvalidated user input into the fopen function. That one seems easy enough to avoid, I’d think. What else?

(I do use curl in some places, but it seems to require more code. Of course, I could write a function to hide all that.)


#8

A basic Google search yields plenty of examples as to why the directive should be disabled, but the problem lies mostly with bad coding in lots of off-the-shelf and open source software.

I would argue that register_globals should also be set to false, but that would create an uproar.


Simon Jessey
Keystone Websites | si-blog


#9

As time goes on and register_globals has been off by default for longer and longer, the scripts that assume it’s on are becoming less common.

However, turning it off will break plenty of sites. And that’s just not something we want to do!

nate.


#10

[quote]As time goes on and register_globals has been off by default for longer and longer, the scripts that assume it’s on are becoming less common.

However, turning it off will break plenty of sites. And that’s just not something we want to do![/quote]
Like I said, it would cause an uproar. One of the things that made PHP so attractive in the beginning was the ease of use - and converting form variables to local variables automatically was part of that. With hindsight, of course, it can be seen that it was a dumb idea on the part of the PHP developers.

I have been with one or two hosts that have the directive set to false, but I’m sure that they are few and far between.


Simon Jessey
Keystone Websites | si-blog