Jump to content

Recommended Posts

This isn't so much a coding question as a theory/best-practices question, but I wasn't sure where else to post it.

 

A while back I built an application for a client of mine which grabs some finance data from yahoo! and parses the numbers to give him some stock information.  I used something like $data = file("http://finance.yaho.com/whatever?my=paramaters");  and all worked fine until the other day.  He called me in a panic that his whole site was crashing and it was my application's fault.

 

I quickly realized that the problem was that his host, Network Solutions, turned off the allow_url_fopen directive without informing him.  I told him to tell them to turn it back on... of course, they wouldn't do that because he's on a shared IP with a thousand other websites and they now consider it a security risk.

 

They recommend I just use cURL instead, which I did and all is well with the world again.

 

But it leaves me wondering, how is cURL any safer then using file()?  Both grab info from 3rd party sites.

cURL is safer because it can only access webpages, where as file can access any file on your server given the right path etc.

 

It is better to use the proper tool for fetching webpage data (as cURL is much more efficient and quicker at it then file).So for instance if you have a form that says, "Enter URL of Link" when they pass it in you have something like:

 

file($_POST['link']);

  that can open up your server for them to retrieve any file / code.

I'll guess this is under php4?

 

No php setting has any direct bearing on the safety of a script because it is the programmer's responsibility to validate data his script receives. However, under php4, having allow_url_fopen ON allows include('some_URL_that_a_hacker_fed_your_script') to cause external php code to be included and executed on the server, so as a knee-jerk reaction to a lack of coders validating data, some people might see that turning off the setting makes the server safer.

 

If under php5, the relevant setting would be allow_url_include.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.