The

allow_url_fopen

directive is of type

PHP_INI_SYSTEM

, which means the entry can be set in php.ini or httpd.conf, that's it. So if you don't have access to either of those configuration files, that route won't work.

Other ideas? Well, depends on how strict they have you locked down, but you could try the CURL functions [php.net] or maybe opening your own socket?

Thanks for the reply Coopster.

I do have access to the htppd.conf file but I am concerned of cross scrirting security flaws. Should I be concerned, my host says I should but I "can" do it if I am prepared to take that risk.

Things you can do to beefen up you site against XSS:
- make sure all 'dynamic' includes that include something based on user input are thoroughly checked so the only possibilities of inclusion are the set of files you want
- keep all included files as filetype .php and see the thread Preventing output of includes [webmasterworld.com]
- if you use scripts whose source code is readily available, if it's permissible, remove phrases that these scripts produce which are unique to them - like "powered by openthumbgallery". If you still really want to give them credit, put it on a credits page in an image so it can't be googled.
- a great source for php security-related stuff (and other stuff): [talks.php.net...] .