PHP include vs file_get_contents

Question

So I've been using file_get_contents to request a file via a plugin for Wordpress I distribute to other users.

Anyway originally what I was doing was checking to see if the user has 'allow_url_fopen' enabled and if so going straight for file_get_contents. If not, I then checked to see if the user has cURL enabled, and if so take that route. The code is below:

if ( ini_get( 'allow_url_fopen' ) == 1 ) {
    $content = file_get_contents( $file );
    return $content;      
}
elseif ( function_exists( 'curl_version' ) ) {
    $curl = curl_init();
    curl_setopt( $curl, CURLOPT_URL, riva_slider_pro_dir( true ) . $file );
    curl_setopt( $curl, CURLOPT_RETURNTRANSFER, 1 );

    $content = curl_exec( $curl );
    curl_close( $curl );

    return $content;
}

However, here is the issue I've run into. A particular users host blocked the file_get_contents function from accessing files altogether, whilst leaving allow_url_fopen enabled. Nothing would work, relative paths, absolute paths, nothing. So I turned to another solution, and find out that this worked:

    ob_start();
    include $file;
    $content = ob_get_contents();
    ob_end_clean();

My question is, how reliable is this method? With this, I have been using a local path, such as 'admin/file.css', etc.

If I decide to replace the top code with this, what kind of hosting setup could stop it from working? Using this method doesn't provide a way for me to check if something has gone wrong.

Answer 1

Your include method will be much less reliable. Disabling file_get_contents is rare, while allow_url_include (which you're implicitly depending on) is off by default.

It's also incredibly insecure. If your web server is hacked and someone modifies one of the files that your plugin is loading to include PHP code in the output, everyone with your plugin installed will start running that code. That would be REALLY BAD.