2 php functions disabled on Server 2

---

I disabled 2 php functions on Server 2 due to security issues. (making it harder to compromise/hack websites)

allow_url_fopen
allow_url_include

If you really need them, then they should continue to work if you put the following in a local php.ini file.

Code:

php_value allow_url_fopen 1

Code:

php_value allow_url_include 1

Edit, this doesn't seem to work, please see my comment below for a solution that should work.



33 blog comments below

Bondings wrote:

I disabled 2 php functions on Server 2 due to security issues. (making it easier to compromise/hack websites)

I'm sure you meant "making it harder to compromise/hack websites"...

mOrpheuS on Wed Sep 26, 2007 6:50 am

Does that mean that the include() function will not work?

_AVG_ on Wed Sep 26, 2007 1:45 pm

NO, but you will need to use a path instead of a url. i.e. /home/you/domains/example.frih.net/public_html/config.php would work whereas http://example.frih.net/config.php wouldn't. Even then, as Bondings said, you can enable it if you wish.

mathiaus on Wed Sep 26, 2007 1:59 pm

Does this mean the file() function won't work? Cause my script is saying it is disabled... And I really need it right now...

If not, how can I enable it (I'm having trouble locating my php.ini file as well... )

Thanks

Star Wars Fanatic on Wed Sep 26, 2007 6:30 pm

Can you explain a bit more about where to put and how to configure our own php.ini? Should it contain only those two lines or the whole code for php.ini? Do we have to put it in the "public_html" folder, in each folder using these functions, or somewhere else? - I tried many ways, but without luck
Please I really need it working, my site is dead now...

Mrs Lycos on Thu Sep 27, 2007 8:48 am

I've got some problem too.

I've got error messages like this...

Warning: fopen() [function.fopen]: URL file-access is disabled in the server configuration in....

And like "Mrs Lycos" asked "Can you explain a bit more about where to put and how to configure our own php.ini?"

Thanks a lot in advance.

the-guide on Thu Sep 27, 2007 9:55 am

I'm sorry, but the php.ini directives don't seem to work. I think they are only able to disable it, not re-enable.

The solution is to use something like curl for opening url files.

Something like:

Code:

<?php /*    * @return string    * @param string $url    * @desc Return string content from a remote file    * @author Luiz Miguel Axcar (lmaxcar@yahoo.com.br) */ function get_content($url) {     $ch = curl_init();     curl_setopt ($ch, CURLOPT_URL, $url);     curl_setopt ($ch, CURLOPT_HEADER, 0);     ob_start();     curl_exec ($ch);     curl_close ($ch);     $string = ob_get_contents();     ob_end_clean();         return $string;    } #usage: $content = get_content ("http://www.php.net"); var_dump ($content); ?>

Bondings on Thu Sep 27, 2007 1:02 pm

Umm..... mOrpheuS , I think he meant that those functions were making it easier to hack/compromise websites. Not that he was making it easier to hack/compromise websites.

-Nick

polly-gone on Thu Sep 27, 2007 10:56 pm

Thanks for your support. OK I will try to do as you've advised, but I'm not sure " Bondings", the way to do that is to replace fopen() [function.fopen] with that new "curl code" in my php scripts, is that right or not? And do I need to do another task in addition?

Sorry if I'm annoyance, but honestly, I really don't know about that.

Thanks again in advance.

the-guide on Sat Sep 29, 2007 12:03 pm

Dear all will u plz help me in hosting my own php site

jawadali on Sat Sep 29, 2007 12:55 pm

Wiat so we can not reanable this in our php.ini ??? I dont like that one bit..

m-productions on Sat Sep 29, 2007 5:45 pm

Sorry , but I didn't understand what does this procedure affect on our sites .

I will read more of members' queries and staff replies to know more about this security issues .
thank you

alkutob on Sun Sep 30, 2007 2:02 am

it means anyone that uses the foopen or such, and use address such as www.asite.com will no longer work, which i dislike... we are stuck suing /home/m-productions.frih.net/public_html/lame/and/lamer.

m-productions on Sun Sep 30, 2007 5:07 am

Yea, I kinda need the functions for a lot of scripts I write. Is there no way to get it so I can enable it using a php.ini file, Bondings? That would be nice...

Star Wars Fanatic on Sun Sep 30, 2007 8:14 pm

thnaks for the changes bondings!!! appretiatte!!

rebeltrooper on Tue Oct 02, 2007 11:00 pm

i don't really like this. A lot of my scripts rely a lot on the include function. Is there any way to do it other than curl?

roboguyspacedude on Fri Oct 05, 2007 9:30 pm

Yes, a lot of scripts rely on the include() function - and on fopen(), but these options don't mean the entire functions won't work - only instances where the "file" you are trying to include or open is not a properly qualified file name but relies upon a URL reference.

Most uses of the include() or fopen() functions use pathnames within the server, since it is more efficient to use the files as they are, where they are, rather than to initiate some kind of network call.

Thus, not only will an absolute path (as in mathiaus' example) or a relative path (as in "../includes/YourInclude.php") work, it would also be a better programming practise unless you absolutely MUST include() or fopen() something that is NOT on your server (i.e. actually resides on ANOTHER host) - but that should be extremely rare.

Traveller on Tue Oct 09, 2007 2:04 pm

It is not so rare today, I need those functions to load feeds from other sites and show them in mine.
----------------------
I used the cURL functions, and can access the xml feeds from other sites.

Now, I want to style them using XSL, but the functions aren't available in the server. I already asked for this a long time ago (in support forum). Could you activate this module (libxslt) please Bondings?

Mrs Lycos on Thu Oct 11, 2007 2:35 am

Does this effect the require function?

Donutey on Mon Nov 05, 2007 12:28 am

at least include isn't completely shut off works.. That would be devastating.

You know though, if you have a fast enough growing websie on here you could just pay for a small host. Then you would get All the functions you need, without limitations. Cause free always has it's restrictions. Enjoy what you got

taytay on Sun Nov 18, 2007 9:27 pm

huh?
can someone explain?

dhthaking on Sun Dec 09, 2007 2:44 am

Does the upgrade affect PHP RSS feeds cause I notice that since the upgrade period, the RSS feed no longer work on my site. This is the code I provided by the site but all i get is a blank column:

<?php
$olderror_reporting =error_reporting(0);
include ("http://rssfeedreader.com/rss3/rss.php?url=http%3A%2F%2Fsearch.msn.com%2Fnews%2Fresults.aspx%3Fq%3DDOG%26format%3Drss&newpage=1&chead=1&atl=1&desc=1&owncss=&eleminate=&auth=&dts=&width=200&max=5&tlen=0&rnd=1&bt=3&bs=Double&nmb=1&ntb=1&naf=1&nst=1&nwd=600&nht=550&dlen=0&lstyle=-1&lc=Blue&bg=White&bc=Gray&spc=&ims=1&tc=&ts=11&tfont=Verdana,+Arial,+Sans-serif&rf=".$HTTP_SERVER_VARS['SERVER_NAME'].$HTTP_SERVER_VARS['PHP_SELF']."&phpout=1");
error_reporting($olderror_reporting);
?>

Anyone able to help me out here? Thanks.

Kelvin on Wed Dec 19, 2007 8:54 pm

Quote:

Does the upgrade affect PHP RSS feeds cause I notice that since the upgrade period, the RSS feed no longer work on my site. This is the code I provided by the site but all i get is a blank column: <?php $olderror_reporting =error_reporting(0); include ("http://rssfeedreader.com/rss3/rss.php?url=http%3A%2F%2Fsearch.msn.com%2Fnews%2Fresults.aspx%3Fq%3DDOG%26format%3Drss&newpage=1&chead=1&atl=1&desc=1&owncss=&eleminate=&auth=&dts=&width=200&max=5&tlen=0&rnd=1&bt=3&bs=Double&nmb=1&ntb=1&naf=1&nst=1&nwd=600&nht=550&dlen=0&lstyle=-1&lc=Blue&bg=White&bc=Gray&spc=&ims=1&tc=&ts=11&tfont=Verdana,+Arial,+Sans-serif&rf=".$HTTP_SERVER_VARS['SERVER_NAME'].$HTTP_SERVER_VARS['PHP_SELF']."&phpout=1"); error_reporting($olderror_reporting); ?> Anyone able to help me out here? Thanks.

yes because it uses the include feature

mahirharoon on Mon Dec 24, 2007 2:43 pm

Okay.. now i get it mahirharoon. Geezzzz.... so that means i won't be able to use the RSS feed through the custom code given. At 1st i thought the RSS site died or something... then I got suspicious and started searching and found this discussion. Now I'll have to try something else to try and get it to work... else it's back to javascript .....

Kelvin on Thu Jan 03, 2008 7:02 am

I tried the curl function as suggested but the outcome was not desirable. Looks more like coded text when displayed. You can have a look at the outcome here: http://www.petspots.frih.net/ under the news and events section.

Kelvin on Fri Jan 04, 2008 11:44 am

curl is enabled on server 1-the config is slightly different in server 2
see
http://www.frihost.com/forums/vp-454160.html#454160

mahirharoon on Wed Jan 09, 2008 7:37 pm

sadfsdafsdf

maxkezee on Fri Feb 08, 2008 4:37 pm

laksdfjlaks flksjfoisfjsldf

esupun on Sun Feb 17, 2008 11:19 am

I love PHP

esupun on Sun Feb 17, 2008 11:20 am

You have done a very nice job.

kshnbd on Sun Apr 13, 2008 12:47 am

Hi Bondings, please bring these functions back or if that isn't possible is there a way to enable them just for me, or is there something that I can do instead of using CURL?

I need it for automatically upgrading Wordpress plugins and the like, as well as grabbing external RSS feeds.

jylan on Wed Apr 16, 2008 9:37 am

Thats OK. I love PHP too!

KSPKSP on Fri May 16, 2008 4:23 pm

Kool a new update type thing

bow_death4 on Tue Jul 22, 2008 6:32 am