我应该在 PHP 中允许 'allow_url_fopen' 吗? [英] Should I allow 'allow_url_fopen' in PHP?

问题描述

我们有几个开发人员要求在我们的服务器上启用 allow_url_fopen.现在的标准是什么，如果 libcurl 被启用，真的有什么好的理由允许吗?

We have a couple of developers asking for allow_url_fopen to be enabled on our server. What's the norm these days and if libcurl is enabled is there really any good reason to allow?

环境为:Windows 2003、PHP 5.2.6、FastCGI

Environment is: Windows 2003, PHP 5.2.6, FastCGI

推荐答案

您肯定希望 allow_url_include 设置为 Off，这也降低了 allow_url_fopen 的许多风险.

You definitely want allow_url_include set to Off, which mitigates many of the risks of allow_url_fopen as well.

但是因为不是所有版本的 PHP 都有 allow_url_include，所以很多人的最佳做法是关闭 fopen.与所有功能一样，现实是如果您的应用程序不需要它，请禁用它.如果您确实需要它，curl 模块可能会做得更好，并且重构您的应用程序以使用 curl 来禁用 allow_url_fopen 可能会阻止最不确定的破解者.

But because not all versions of PHP have allow_url_include, best practice for many is to turn off fopen. Like with all features, the reality is that if you don't need it for your application, disable it. If you do need it, the curl module probably can do it better, and refactoring your application to use curl to disable allow_url_fopen may deter the least determined cracker.

这篇关于我应该在 PHP 中允许 'allow_url_fopen' 吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！