Knowledgebase: PHP / Programming
How do I set allow_url_include to On
Posted by Tony B., Last modified by Tony B. on 29 January 2020 02:43 PM

The PHP setting allow_url_include is disabled on all Hawk Host servers and for the protection of our users is a setting we do not allow to be overridden through our PHP selector's setting system. The allow_url_include directive is by default disabled in PHP and as of PHP 7.4 is deprecated and will produce an error when enabled.

The allow_url_include directive makes the functions include, include_once, require and require_once URL aware which has major security implications. When used it will execute anything remotely as PHP which means if you're including a remote website it could easily injection PHP code into your website. This capability also is frequently used in malicious files and exploits within software. Here are some examples of it being used and alternative methods so that you do not need this setting:

The developer needs to include additional PHP files within their index.php of the website uses:

<php include("http://mywebsite.com/includes/header.php"); ?>

This can alternatively be written as:

<php include("includes/header.php"); ?>

This is not only safe but quicker than remotely visiting your website for the header contents.

There may also be cases where it's being used to add external content from another website and may look like this:

<?php include("http://www.otherwebsite.com/scores.txt"); ?>

You could alternatively write this as:

<?php print file_get_contents("http://www.otherwebsite.com/scores.txt"); ?> ?>

Keep in mind however printing contents from a remote website can be dangerous for website visitors as it could contain malicious html/javascript code but this will not execute PHP code which makes it safer for your website.

If you have third party applications and developers still insisting it is necessary to turn allow_url_include on we recommend linking them to this article and many others on the internet which discuss how dangerous allow_url_include on is.

(401 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).