usamember
Reputation: 478
PHP allow URL include
I want to ask something regarding allow_url_include - ...
If a server have got allow_url_include enabled in the PHP configuration ... Can the server owner easily create a PHP script and do something like:
include("http://example.com/configuration.php");
echo $mysql['username'];
So he can get the value of the MySQL username?
If that was possible, can I disallow that on my script to prevent hackers?
Thank you!
Upvotes: 0
Views: 229
Answers (2)
leon
Reputation: 10
He can't get the value of the MySQL username.
He can only get the source code and the results of the page :
http://example.com/configuration.php
Upvotes: 0
n00dl3
Reputation: 21564
No, he will get the same thing as you have in your web browser. That would be a huge security issue.
Note that if your webserver is misconfigured, it can happen.
Upvotes: 1
Related Questions
- How to prevent direct access to php pages through URL
- Set allow_url_include on SINGLE file
- PHP URL manipulation security issue
- Assessing risks of allow_url_include, or alternatives
- php file in URL - security
- PHP Include based on REQUEST_URI
- Secure Include php
- PHP: allow_url_include
- Security and includes based on URL data
- The URL Security