How do I set allow_url_include to On
Posted by Tony B., Last modified by Tony B. on 29 January 2020 02:43 PM
The PHP setting allow_url_include is disabled on all Hawk Host servers and for the protection of our users is a setting we do not allow to be overridden through our PHP selector's setting system. The allow_url_include directive is by default disabled in PHP and as of PHP 7.4 is deprecated and will produce an error when enabled.
The allow_url_include directive makes the functions include, include_once, require and require_once URL aware which has major security implications. When used it will execute anything remotely as PHP which means if you're including a remote website it could easily injection PHP code into your website. This capability also is frequently used in malicious files and exploits within software. Here are some examples of it being used and alternative methods so that you do not need this setting:
The developer needs to include additional PHP files within their index.php of the website uses:
This can alternatively be written as:
This is not only safe but quicker than remotely visiting your website for the header contents.
There may also be cases where it's being used to add external content from another website and may look like this:
You could alternatively write this as:
If you have third party applications and developers still insisting it is necessary to turn allow_url_include on we recommend linking them to this article and many others on the internet which discuss how dangerous allow_url_include on is.