homepage Welcome to WebmasterWorld Guest from 54.204.94.228
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Allow url and security risks.
PowerUp

5+ Year Member



 
Msg#: 3776493 posted 8:08 am on Oct 30, 2008 (gmt 0)

Hi, I added a php banner script to my webpage.

At first, the banner doesn't show. The banner only show up when my host enabled "Allow_url". I was told it was disabled by default due to security issues. I'd like to know what kind of security risks I face by enabling "allow_url".

Thank you.

 

Sekka

5+ Year Member



 
Msg#: 3776493 posted 9:55 am on Oct 30, 2008 (gmt 0)

"allow_url" means that a PHP file can be included into your script from an external website.

Because you have no control over this external content, someone could swap the file on the external website for some malicious code and use it to damage your website, spread malware, almost anything!

I would side with your hosting company and agree that this should not be turned on. I would find another way to include this code into your website. If it is just HTML you're including, use file_get_contents() [uk2.php.net].

PowerUp

5+ Year Member



 
Msg#: 3776493 posted 8:04 pm on Oct 30, 2008 (gmt 0)

"allow_url" means that a PHP file can be included into your script from an external website.

Because you have no control over this external content, someone could swap the file on the external website for some malicious code and use it to damage your website, spread malware, almost anything!

I would side with your hosting company and agree that this should not be turned on. I would find another way to include this code into your website. If it is just HTML you're including, use file_get_contents().

Do you mean ANYBODY could swap my files, or just specified people (like my advertisers) could swap the files. In my file, there's a PHP banner script. The script has specified which domain to fetch the ads from.

Sekka

5+ Year Member



 
Msg#: 3776493 posted 8:49 am on Oct 31, 2008 (gmt 0)

Whom ever has access to the file you are calling in could swap the file. But then again, someone could compromise that server to gain access to yours via this hole.

Basically, allow_url is a no no unless you really really need it.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved