allow_url_include and allow_url_fopen allow a huge number of web attacks to be successful. Many websites get hacked because they have PHP vulnerabilities. If those sites had been using allow_url_include = Off, or the more general allow_url_fopen = Off, many of those hacks would NOT have been successful even if the underlying vulnerability were not fixed.

If you can get by without it, turn it off because it provides very real protection.

When you are including a file from the same website, you do not have to use the full URL, and should not.

If you're including a file from another website, ask yourself whether it's really necessary to do it that way. If it's a static file from another site you manage, you could make a local copy of the file and include it without the URL.

There are some situations where you might have to include by URL, but always try to find an alternative method first.

Hi,
is this correct code that will turn variable to OFF with .htaccess?
php_value allow_url_fopen Off
php_value allow_url_include Off

If you have PHP5 or earlier, you unfortunately cannot turn them off in .htaccess. It has to be done in php.ini. If your host doesn't allow you to have a php.ini file, then there's no way to turn them off. You just have to live with whatever settings the host provides.

In php.ini, the correct command is:

allow_url_fopen = Off

In PHP5.2 or greater, you can also use this:
allow_url_include = Off

If you could do it with .htaccess in PHP5, the correct commands would be:

php_flag allow_url_fopen Off
php_flag allow_url_include Off

If you have PHP6 or higher, the above commands should work in .htaccess.

[edited by: SteveWh at 10:55 am (utc) on Mar. 3, 2009]

Is my code tha wrong?
php_value allow_url_fopen Off
php_value allow_url_include Off
What is different?

will server the same show
<?php
phpinfo();
?>

and ENABLED variables even I put:
php_value allow_url_fopen Off
php_value allow_url_include Off

Currently they have ON and if I put code within file it will still show ON.

php_value is wrong because it is only for variables that have numeric or string values.

For variables that have On/Off values, you are supposed to use php_flag.

All you need to do is change php_value to php_flag.

How to see this result on website as
info.php file shows the SERVER php variables, not my account's

If your report from phpinfo() is like mine, it will have two columns. "Master value" is the one set by the host. "Local value" has the values being used for your website. If you change any values in your configuration files (php.ini, .htaccess), you should see the changes in the "Local value" column.

There are both ON each column.

What version of PHP are you using?

Where are you setting these values, php.ini or .htaccess?
(The commands you use in php.ini are not the same ones you use in .htaccess.)

Are you sure that your host allows modifying PHP settings?

Q: What version of PHP are you using?
A: PHP Version 5.2.6

Q: Where are you setting these values, php.ini or .htaccess?
(The commands you use in php.ini are not the same ones you use in .htaccess.)
A: this code is set within .htaccess

Q:Are you sure that your host allows modifying PHP settings?
A: Yes, they advised me as PHP is vulnerable if not OFF.But I do not see where I can see this result with PHP code.

They told me:
info.php file shows the SERVER php variables, not your account's
info.php shows me:
Master Local
allow_url_fopen OnOn
allow_url_includeOnOn

In PHP 5.2.6, you cannot set those two variables in .htaccess. You must use php.ini:

Create a text file called: php.ini with these 2 lines in it:
allow_url_fopen = Off
allow_url_include = Off

Put php.ini in the top folder of your website, the same folder where your .htaccess file and your website's home page are.

Then run phpinfo().

Last post you mentioned:
In PHP5.2 or greater, you can also use this:
allow_url_include = Off

In PHP5.2 or greater, you can also use this:
allow_url_include = Off

That is in php.ini only. Not .htaccess. You cannot set these in .htaccess in PHP 5.2.6. It won't work.

ok, I understand.
But if I understand hosting, they can arrange that I modify .htaccess and the somehow connect php.ini to this. Is this technically correct way and possible?

It's not technically correct. .htaccess and php.ini are separate. The server reads them at different times.

If your host has some connection between the two, I think it would be very strange.