Hello, iam coding new php script, i need to use the url include inside that script, so i have to enable 'allow_url_include = On' in the 'php.ini' file on the Apache server....and that makes me wondering about those 2 important questions !! 1. what is the security risk for the server after enabling this function ?? 2. what is the security risk for my php script after enabling this function and using it inside my script like this:- include('http://another-site.com/file.php'); thanks
Generally, you want this disabled because if you ever parse variables in any fopen() call or include() call, there's always a remote possibility that a malicious user could include a text or php script from their website, compromising your site. Better to use the cURL functions.
Should not go for it, critical reason: 1. RFI - Remote file inclusion which could lead to straight deface. 2. LFI - Local file inclusion - again could lead to straight deface.