我应该在PHP中允许'allow_url_fopen'吗？ [英] Should I allow 'allow_url_fopen' in PHP?

问题描述

我们有几个开发人员要求在我们的服务器上启用 allow_url_fopen 。这些日子的规范是什么，如果 libcurl 启用，是否有任何好的理由允许？

环境是：你确定要 allow_url_include

>设置为Off，这也减轻了 allow_url_fopen 的许多风险。

但是因为并非所有版本PHP有 allow_url_include ，许多人的最佳做法是关闭fopen。像所有功能，现实是，如果你不需要它为您的应用程序，禁用它。如果你确实需要它，curl模块可能会做得更好，重构你的应用程序使用curl禁用 allow_url_fopen 可能会阻止最不确定的崩溃。

We have a couple of developers asking for allow_url_fopen to be enabled on our server. What's the norm these days and if libcurl is enabled is there really any good reason to allow?

Environment is: Windows 2003, PHP 5.2.6, FastCGI

解决方案

You definitely want allow_url_include set to Off, which mitigates many of the risks of allow_url_fopen as well.

But because not all versions of PHP have allow_url_include, best practice for many is to turn off fopen. Like with all features, the reality is that if you don't need it for your application, disable it. If you do need it, the curl module probably can do it better, and refactoring your application to use curl to disable allow_url_fopen may deter the least determined cracker.

这篇关于我应该在PHP中允许'allow_url_fopen'吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！