我应该在PHP中允许'allow_url_fopen'吗? [英] Should I allow 'allow_url_fopen' in PHP?
问题描述
我们有几个开发人员要求在我们的服务器上启用 allow_url_fopen
。这些日子的规范是什么,如果 libcurl
启用,是否有任何好的理由允许?
环境是:你确定要 allow_url_include
allow_url_fopen
的许多风险。 但是因为并非所有版本PHP有 allow_url_include
,许多人的最佳做法是关闭fopen。像所有功能,现实是,如果你不需要它为您的应用程序,禁用它。如果你确实需要它,curl模块可能会做得更好,重构你的应用程序使用curl禁用 allow_url_fopen
可能会阻止最不确定的崩溃。
We have a couple of developers asking for allow_url_fopen
to be enabled on our server. What's the norm these days and if libcurl
is enabled is there really any good reason to allow?
Environment is: Windows 2003, PHP 5.2.6, FastCGI
You definitely want allow_url_include
set to Off, which mitigates many of the risks of allow_url_fopen
as well.
But because not all versions of PHP have allow_url_include
, best practice for many is to turn off fopen. Like with all features, the reality is that if you don't need it for your application, disable it. If you do need it, the curl module probably can do it better, and refactoring your application to use curl to disable allow_url_fopen
may deter the least determined cracker.
这篇关于我应该在PHP中允许'allow_url_fopen'吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!