If enabled, allow_url_fopen allows PHP's file functions (such as file_get_contents() and the include and require statements) can retrieve data from remote locations, like an FTP or web site.
Developers frequently forget this and don't do proper input filtering when passing user-provided data to these functions, opening them up to code injection vulnerabilities. A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering.

It's advisable to put allow_url_fopen always off .


Recommendations

  • You can disable/enable allow_url_fopen in the php.ini file:
to disable:
; Disable allow_url_fopen for security reasons allow_url_fopen = 'off'

to enable:
; Enable allow_url_fopen
allow_url_fopen = 'on'


  • For remote file access, consider using the cURL functions provided by PHP.

Found this article interesting?
Subscribe to DomainRegister´s newsletter!

You can unsubscribe at any time by simply clicking the link in the footer of our emails. For information about our privacy practices, please visit our website.

We use Mailchimp as our marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp s privacy practices here.

  • php, security
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

 Fatal error: Uncaught exception 'Exception' with message 'DateTime::__construct(): It is not safe to rely on the system's timezone settings.

If you get following error message:Fatal error: Uncaught exception 'Exception' with message...

 How to set php.ini values using .htaccess

You can override global values of system variables re-setting them in .htaccessFor each system...

 PHP Parse error: syntax error, unexpected $end

This is a very common error, typically caused by a missing } used in PHP to denote content...

 How to send mails through your website

On shared web hosting server for security reasons it's not possible unauthenticated email sending...

 Limiti funzione php mail()

per motivi di sicurezza sui nostri server di hosting shared Linux la funzione php mail() è...