Article directory
- refer to
- environment
- allow_url_fopen
-
-
- allow_url_fopen configuration item
- Manipulate remote files
- file protocol
-
- allow_url_include
-
-
- allow_url_include configuration item
-
- allow_url_include and allow_url_fopen
-
-
-
-
- the difference
-
- connect
- default allocation
- Exceptions caused by closing configuration items
- Runtime configuration
-
-
- ini_set()
- limit
-
-
-
Reference
Project | Description |
---|---|
Search Engine | Bing, Google |
AI large model | Wen Xinyiyan< /strong>, Tongyi Qianwen, iFlytek Spark Cognitive Model, ChatGPT |
PHP official | filesystem.configuration.php |
PHP official | PHP Manual |
Environment
Project | Description |
---|---|
PHP | 5.5.0 , 5.6.8 , 7.0.0 , 7.2.5 , 7.4.9 , 8.0.0 , 8.2.9 |
PHP Editor | PhpStorm 2023.1.1 (Professional Edition) |
allow_url_fopen
allow_url_fopen configuration item
allow_url_fopen
is a configuration option in PHP that determines whether PHP can open files through URL (instead of local file paths)
. The value of this configuration option will affect the behavior of some functions related to file operations in PHP, such as fopen()
and file_get_contents()
. Specifically, when allow_url_fopen
is set to On
, these functions can be used to read
or write
Remote file
. When this configuration item is set to Off
(off), these functions can only be used to operate local files
.
Operating remote files
When the allow_url_fopen
option is set to On
(Currently, the allow_url_fopen
option is on by default
in every PHP version >), PHP can access and process remote files. For example, you can use the file_get_contents()
function to read the HTML content of a remote website. For this, please refer to the following example:
<?php # Obtain through file_get_contents() function # HTML content of Baidu page. $content = file_get_contents('http://www.baidu.com'); var_dump($content);
Execution effect
Part of the output from the above example looks like this:
string(9508) "<!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv= "X-UA-Compatible" content="IE=edge,chrome=1"><meta content="always" name="referrer"><meta name="description" content="The world's leading Chinese search engine, committed to To allow netizens to obtain information more conveniently and find what they are looking for. Baidu has a database of more than 100 billion Chinese web pages, and you can find relevant search results instantly. "><link rel="shortcut icon" href="//www.baidu.com/favicon.ico" type="image/x-icon"><link rel="search" type="application/opensearchdescription + xml " href="//www.baidu.com/content-search.xml" title="Baidu Search"> <title>Just search on Baidu and you will know</title><style...
file protocol
In PHP, the use of the file
protocol is not controlled by the allow_url_fopen
configuration item. For this, please refer to the following example:
<?php # Obtained through allow_url_fopen function # The value of allow_url_fopen configuration item. var_dump(ini_get('allow_url_fopen')); # Try to use file_get_contents to get the current host path # Contents in C:\Users\Public\Documents\index.php var_dump(file_get_contents('file:///C:\Users\Public\Documents\index.php'));
Execution effect
Since the allow_url_fopen
configuration item is enabled by default in PHP, please turn off the allow_url_fopen
configuration before executing the above example (you can modify the PHP configuration file php.ini
implementation).
Since the allow_url_fopen
configuration has been turned off, the output of the first var_dump
statement is string(0) ""
. When the allow_url_fopen
configuration is turned off, functions such as file_get_contents
can still operate on local files through the file
protocol.
string(0) "" string(35) "<?php var_dump('Hello World');"
allow_url_include
allow_url_include configuration item
allow_url_include
is a configuration directive of PHP, similar to allow_url_fopen
, but allow_url_include
is configured specifically for PHP’s include
, include_once
, require
and require_once
statements. When allow_url_include
is set to On
, PHP allows including and executing
PHP files from remote servers via URLs. For this, please refer to the following example:
http://192.168.1.8/target
First, I prepared the file target
in the server with the IP
address 192.168.1.8
, and accessed the page through the browser on the current host. The effect is as follows:
Enable allow_url_include option
Since in the PHP8.0.0
version, the allow_url_include
option is turned off by default, so you need to turn on this option by modifying the configuration file. Change the php.ini
configuration file:
allow_url_include = Off
Modify it to the following content and save it.
allow_url_include = On
Execute the following sample code
<?php include('http://192.168.1.8/target');
Execution effect
Since the allow_url_include
configuration item was deprecated in the PHP7.4.0
version, when allow_url_include
is enabled and used, PHP will output a prompt message PHP Deprecated: Directive 'allow_url_include' is deprecated in Unknown on line 0
.
After executing the above example code, the contents of the target
file are included into the current file and executed as PHP code
.
PHP Deprecated: Directive 'allow_url_include' is deprecated in Unknown on line 0 string(11) "Hello World"
If the allow_url_include
configuration item is not turned on before executing the above example code, the execution result will be as follows:
PHP Warning: include(): http:// wrapper is disabled in the server configuration by allow_url_include=0 in C:\index.php on line 4 PHP Warning: include(http://192.168.1.8/target): Failed to open stream: no suitable wrapper could be found in C:\index.php on line 4 PHP Warning: include(): Failed opening 'http://192.168.1.8/target' for inclusion (include_path='.;C:\php\pear') in C:\index.php on line 4
allow_url_include and allow_url_fopen
Difference
After turning on the allow_url_fopen
configuration item, PHP can only perform file operations such as reading and writing remote files
.
After turning on the allow_url_include
configuration item, PHP will be able to include remote files into the current file through functions such as include
and execute them as PHP code .
Give me a chestnut
<?php $target_url = 'http://192.168.1.8/target'; var_dump(file_get_contents($target_url)); include($target_url);
Execution effect
Before executing the above sample code, please enable the allow_url_fopen
and allow_url_include
configuration items.
Since the file_get_contents()
function affected by the allow_url_fopen
configuration item can only perform file operations such as reading and writing remote files, http://192.168.1.8/target The code in
is executed only once.
PHP Deprecated: Directive 'allow_url_include' is deprecated in Unknown on line 0 string(33) "<?php var_dump('Hello World'); " string(11) "Hello World"
Contact
The effectiveness of allow_url_include
depends on the opening of the allow_url_fopen
configuration item. Specifically, allow_url_include
can only work when both configuration items allow_url_include
and allow_url_fopen
are enabled. If only the allow_url_include
configuration item is enabled, the function of the allow_url_include
configuration item cannot be exerted.
Default configuration
Since the PHP5.2
version, the default configuration of the allow_url_include
configuration item is Off
, while the allow_url_fopen
configuration item is The default configuration is always On
.
In the actual application of PHP, it is recommended to turn off the allow_url_include
and allow_url_fopen
configuration items. These two configuration items are usually used to obtain and execute files from the remote server , but in some cases they can be exploited maliciously, leading to security vulnerabilities and risks.
Exception caused by closing configuration items
The problems caused by turning off the allow_url_include
and allow_url_include
configuration items cause functions such as file_get_contents
and inlcude
to be unable to access remote files. Will cause PHP to raise a Warning
exception. Warning
The occurrence of an exception will not cause the PHP program to terminate immediately.
Runtime configuration
ini_set()
In addition to the php.ini
file, PHP also allows to dynamically modify the values of certain configuration options through the ini_set() function during script running.
code>It takes effect when the current script is running and will not affect the global configuration. This provides developers with the flexibility to adjust configurations during the execution of a single script or application.
Restrictions
In PHP, the configuration methods that can be adopted by different configuration items may be different, and not all options can be modified at runtime through the ini_set() function
. The ini_set() function allows you to dynamically set configuration options while the script is running, but some options may not be modified through ini_set()
due to security or system-level restrictions
. allow_url_include
and allow_url_fopen
are such configuration items.
If you need to view the allowed configuration methods
of a configuration item, please visit the ini.list.php page officially provided by PHP.