allow_url_fopen can be used to retrieve data from remote servers or websites. However, if incorrectly used, this function can compromise the security of your site.
allow_url_fopen is fine. If you need the feature, enable it. There are better tools out there for loading data from remote URLs (like the curl extension), but it's good enough for some simple use cases. Its close relative, allow_url_include , is not safe.
Firstly, you have to access your cPanel control panel. Then, find the option MultiPHP INI Editor. Now, you have to click in the tab Editor Mode. Then, select the domain where you wish to enable allow_url_fopen in cPanel.
PHP disable_functions directive You can disable specific PHP functions by using the disable_functions directive in a custom php. ini file.
I think the answer comes down to how well you trust your developers to use the feature responsibly? Data from a external URL should be treated like any other untrusted input and as long as that is understood, what's the big deal?
The way I see it is that if you treat your developers like children and never let them handle sharp things, then you'll have developers who never learn the responsibility of writing secure code.
You definitely want allow_url_include
set to Off, which mitigates many of the risks of allow_url_fopen
as well.
But because not all versions of PHP have allow_url_include
, best practice for many is to turn off fopen. Like with all features, the reality is that if you don't need it for your application, disable it. If you do need it, the curl module probably can do it better, and refactoring your application to use curl to disable allow_url_fopen
may deter the least determined cracker.
It depends on the type of development. If your prototyping then enabling 'allow_url_fopen' is fine however there isn't a significant speed difference between libcurl and file_get_contents and enabling it is only a matter of convenience.
For production servers any call to libcurl should be flagged for a security audit. As should fopen and file_get_contents if 'allow_url_fopen' is enabled. Disabling 'allow_url_fopen' does not prevent exploits it only slightly limits the number of ways they can be done.
Cross-site scripting attacks are a pain, so that's a vote against. And you should absolutely have "allow_url_include" set to off, or you'll be in for a world of hurt.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With