PhpSecInfo Test Information
This test checks to see if allow_url_include is enabled. Note that this setting is only available since PHP 5.2, so the test will not run if you have an older verion.
If disabled, allow_url_include bars remote file access via the
require statements, but leaves it available for other file functions like
require are the most common attack points for code injection attempts, so this setting plugs that particular hole without affecting the remote file access capabilities of the standard file functions.
Note that at this point we still recommend disabling allow_url_fopen as well, but developers who are confident in their secure coding practices may want to leave allow_url_fopen enabled.
By default, allow_url_include is disabled. If allow_url_fopen is disabled, allow_url_include is also disabled.
By default, allow_url_include is disabled. We strongly recommend keeping it disabled.
You can disable allow_url_include in the php.ini file:
; Disable allow_url_include for security reasons allow_url_include = 'off'
The setting can also be disabled in apache's httpd.conf file:
# Disable allow_url_include for security reasons php_flag allow_url_include off
For remote file access, consider using the cURL functions that PHP provides.
- PHP.net manual: allow_url_include
- Minutes PHP Developers Meeting - November 2005: 6.2 Merge Hardened PHP patch into PHP