Quick...possibly stupid question.
When allow_url_include is set to off, does that prohibit other computers from remotely including the files on my site, or does it say that I'm not allowed to remotely include files from other sites?
1
-
1This option is deprecated as of PHP 7.4, and it is likely to be removed in the near future.MAChitgarha– MAChitgarha2021-03-06 12:20:29 +00:00Commented Mar 6, 2021 at 12:20
Add a comment
|
4 Answers
Settings in your php.ini only affect your PHP installation
Comments
As said in the php manual: http://www.php.net/manual/en/filesystem.configuration.php#ini.allow-url-include is for including remote files, only if you let your directory to reach the source, others can include your php files.
Then is the second suggestion
1 Comment
James Walker
^^ AGREED ^^ add one more
Setting allow_url_include to off in your configuration means that your PHP code on your server will not be able to include remote files.
But it doesn't change anything for other servers, which might request files from your server, like anyone can from the web -- note, though, that if some PHP file is requested, it'll be interpreted, and its output (not its content ! ) will be sent.
2 Comments
Senica Gonzalez
So, let's say my file is a.php and code is echo $file; Does that mean that if a file b.php on a remote server includes a.php they cannot set $file before calling my file? I would assume this to be correct if only the output if returned.
Pascal MARTIN
if register_globals is not enabled (it should not be), then, no, the remote server cannot inject a value into $file.
It's always impossible to include PHP code from properly installed server, no matter of this configuration setting.
At the same time no PHP configuration setting can forbid HTTP clients from requesting resources from your HTTP server.
answered Apr 12, 2011 at 10:38
Your Common Sense
158k42 gold badges226 silver badges373 bronze badges