CODEWITHSUNDEEP
phpinclude
webmaster alex l
webmaster alex l

Reputation: 663

php5 reading remote file the valid way

I recently upgraded from php4 to php5 and with it came the notice that all my remote php file access no longer worked. I've been doing quite a bit of research into this and I dont seem to have a clear answer as to what is the correct way to include remote urls in php5.

The first example is to include the file this way

<?php
   $data = file_get_contents("http://example.com/example.inc.php",0);
   echo $data;
?>

The 2nd is this way

<?php
   $ch = curl_init("http://example.com/example.inc.php");
   curl_exec($ch);
   curl_close($ch);
?>

and 3rd is to set in my php.ini file

allow_url_include = On      
allow_url_fopen = On

and use the good old

<?php include_once('http://example.com/example.inc.php');?>

I want to do this right and secure.

Upvotes: 2

Views: 2058

Answers (2)

WatsMyName
WatsMyName

Reputation: 4478

Well,

First method => Is correct and you shouldnt worry using it.

Second method= > Is correct, but curl extension should be enabled

Third method => Is correct, but using this option is not recommended because enabling allow_url_include likely makes your site vulnerable. For more detail see http://en.wikipedia.org/wiki/Include_vulnerability and this link http://wiki.dreamhost.com/Allow_url_include

Upvotes: 1

arkascha
arkascha

Reputation: 42984

All solutions are correct and there is no real difference in safety AFAIK.

I think the difference can be summed up like this:

The ini-settings provide the behaviour as known from prior versions. The reason why they are disabled by default is the security thread, but that is equal to all three solutions. Including remote files is a security problem, regardless of whether you control the rmeote site or not.

file_get_contents() and the curl extension creates some overhead, since you have to buffer the content, but for php include files that is more a cosmetic thing. Their usage is slightly more complex when reading through a script. But the buffering also adds benefits: you might create a local cache for example or a checksum towards a basic plausibility check. Also a syntax check prior to execution is possible thus preventing the crash of your calling script.

Curl is provided as a php extension. So the curl solution only works when the extension is installed, but it offers a much higher grade of freedom, much more options. If you don't require those stay with the builtin functions.

Upvotes: 2

Related Questions