PHP Code of Conduct: allow_url_fopen and allow_url_include

Article directory

  • refer to
  • environment
  • allow_url_fopen
      • allow_url_fopen configuration item
      • Manipulate remote files
      • file protocol
  • allow_url_include
      • allow_url_include configuration item
  • allow_url_include and allow_url_fopen
          • the difference
      • connect
      • default allocation
      • Exceptions caused by closing configuration items
      • Runtime configuration
          • ini_set()
          • limit

Reference

Project Description
Search Engine Bing, Google
AI large model Wen Xinyiyan< /strong>, Tongyi Qianwen, iFlytek Spark Cognitive Model, ChatGPT
PHP official filesystem.configuration.php
PHP official PHP Manual

Environment

Project Description
PHP 5.5.0, 5.6.8, 7.0.0, 7.2.5, 7.4.9 , 8.0.0, 8.2.9
PHP Editor PhpStorm 2023.1.1 (Professional Edition)

allow_url_fopen

allow_url_fopen configuration item

allow_url_fopen is a configuration option in PHP that determines whether PHP can open files through URL (instead of local file paths). The value of this configuration option will affect the behavior of some functions related to file operations in PHP, such as fopen() and file_get_contents(). Specifically, when allow_url_fopen is set to On, these functions can be used to read or write Remote file. When this configuration item is set to Off (off), these functions can only be used to operate local files.

Operating remote files

When the allow_url_fopen option is set to On (Currently, the allow_url_fopen option is on by default in every PHP version >), PHP can access and process remote files. For example, you can use the file_get_contents() function to read the HTML content of a remote website. For this, please refer to the following example:

<?php


# Obtain through file_get_contents() function
# HTML content of Baidu page.
$content = file_get_contents('http://www.baidu.com');
var_dump($content);

Execution effect

Part of the output from the above example looks like this:

string(9508) "<!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv= "X-UA-Compatible" content="IE=edge,chrome=1"><meta content="always" name="referrer"><meta name="description" content="The world's leading Chinese search engine, committed to To allow netizens to obtain information more conveniently and find what they are looking for. Baidu has a database of more than 100 billion Chinese web pages, and you can find relevant search results instantly. "><link rel="shortcut icon" href="//www.baidu.com/favicon.ico" type="image/x-icon"><link rel="search" type="application/opensearchdescription + xml " href="//www.baidu.com/content-search.xml" title="Baidu Search">
<title>Just search on Baidu and you will know</title><style...

file protocol

In PHP, the use of the file protocol is not controlled by the allow_url_fopen configuration item. For this, please refer to the following example:

<?php


# Obtained through allow_url_fopen function
# The value of allow_url_fopen configuration item.
var_dump(ini_get('allow_url_fopen'));

# Try to use file_get_contents to get the current host path
# Contents in C:\Users\Public\Documents\index.php
var_dump(file_get_contents('file:///C:\Users\Public\Documents\index.php'));

Execution effect

Since the allow_url_fopen configuration item is enabled by default in PHP, please turn off the allow_url_fopen configuration before executing the above example (you can modify the PHP configuration file php.ini implementation).
Since the allow_url_fopen configuration has been turned off, the output of the first var_dump statement is string(0) "". When the allow_url_fopen configuration is turned off, functions such as file_get_contents can still operate on local files through the file protocol.

string(0) ""
string(35) "<?php


var_dump('Hello World');"

allow_url_include

allow_url_include configuration item

allow_url_include is a configuration directive of PHP, similar to allow_url_fopen, but allow_url_include is configured specifically for PHP’s include, include_once, require and require_once statements. When allow_url_include is set to On, PHP allows including and executing PHP files from remote servers via URLs. For this, please refer to the following example:

http://192.168.1.8/target

First, I prepared the file target in the server with the IP address 192.168.1.8, and accessed the page through the browser on the current host. The effect is as follows:

Enable allow_url_include option

Since in the PHP8.0.0 version, the allow_url_include option is turned off by default, so you need to turn on this option by modifying the configuration file. Change the php.ini configuration file:

allow_url_include = Off

Modify it to the following content and save it.

allow_url_include = On

Execute the following sample code

<?php


include('http://192.168.1.8/target');

Execution effect

Since the allow_url_include configuration item was deprecated in the PHP7.4.0 version, when allow_url_include is enabled and used, PHP will output a prompt message PHP Deprecated: Directive 'allow_url_include' is deprecated in Unknown on line 0.
After executing the above example code, the contents of the target file are included into the current file and executed as PHP code.

PHP Deprecated: Directive 'allow_url_include' is deprecated in Unknown on line 0
string(11) "Hello World"

If the allow_url_include configuration item is not turned on before executing the above example code, the execution result will be as follows:

PHP Warning: include(): http:// wrapper is disabled in the server configuration by allow_url_include=0 in C:\index.php on line 4
PHP Warning: include(http://192.168.1.8/target): Failed to open stream: no suitable wrapper could be found in C:\index.php on line 4
PHP Warning: include(): Failed opening 'http://192.168.1.8/target' for inclusion (include_path='.;C:\php\pear') in C:\index.php on line 4

allow_url_include and allow_url_fopen

Difference

After turning on the allow_url_fopen configuration item, PHP can only perform file operations such as reading and writing remote files.
After turning on the allow_url_include configuration item, PHP will be able to include remote files into the current file through functions such as include and execute them as PHP code .

Give me a chestnut

<?php


$target_url = 'http://192.168.1.8/target';

var_dump(file_get_contents($target_url));
include($target_url);

Execution effect

Before executing the above sample code, please enable the allow_url_fopen and allow_url_include configuration items.
Since the file_get_contents() function affected by the allow_url_fopen configuration item can only perform file operations such as reading and writing remote files, http://192.168.1.8/target The code in is executed only once.

PHP Deprecated: Directive 'allow_url_include' is deprecated in Unknown on line 0
string(33) "<?php


var_dump('Hello World');
"
string(11) "Hello World"

Contact

The effectiveness of allow_url_include depends on the opening of the allow_url_fopen configuration item. Specifically, allow_url_include can only work when both configuration items allow_url_include and allow_url_fopen are enabled. If only the allow_url_include configuration item is enabled, the function of the allow_url_include configuration item cannot be exerted.

Default configuration

Since the PHP5.2 version, the default configuration of the allow_url_include configuration item is Off, while the allow_url_fopen configuration item is The default configuration is always On.
In the actual application of PHP, it is recommended to turn off the allow_url_include and allow_url_fopen configuration items. These two configuration items are usually used to obtain and execute files from the remote server , but in some cases they can be exploited maliciously, leading to security vulnerabilities and risks.

Exception caused by closing configuration items

The problems caused by turning off the allow_url_include and allow_url_include configuration items cause functions such as file_get_contents and inlcude to be unable to access remote files. Will cause PHP to raise a Warning exception. Warning The occurrence of an exception will not cause the PHP program to terminate immediately.

Runtime configuration

ini_set()

In addition to the php.ini file, PHP also allows to dynamically modify the values of certain configuration options through the ini_set() function during script running. code>It takes effect when the current script is running and will not affect the global configuration. This provides developers with the flexibility to adjust configurations during the execution of a single script or application.

Restrictions

In PHP, the configuration methods that can be adopted by different configuration items may be different, and not all options can be modified at runtime through the ini_set() function. The ini_set() function allows you to dynamically set configuration options while the script is running, but some options may not be modified through ini_set() due to security or system-level restrictions. allow_url_include and allow_url_fopen are such configuration items.

If you need to view the allowed configuration methods of a configuration item, please visit the ini.list.php page officially provided by PHP.