allow_url_fopen is disabled?

M

marked

New member
My CORS server was functioning superbly so far till this morning when I updated it and tried to include one of my php files residing on another domain ...

And I get ... this in the logs:

[08-Nov-2015 04:07:38 UTC] PHP Warning: include(--my foreign domain php script--): failed to open stream: no suitable wrapper could be found in /home/marked/public_html/response.php on line 17
[08-Nov-2015 04:07:38 UTC] PHP Warning: include(): Failed opening '--my foreign domain script--' for inclusion (include_path='.:/opt/alt/php55/usr/share/pear:/opt/alt/php55/usr/share/php') in /home/marked/public_html/response.php on line 17

Is allow_url_fopen directive disabled? And are url wrappers unsupported? :( :(
 
GigaGreg

GigaGreg

Moderator
Staff member
I think that allow_url_fopen directive is enabled because I have used it already on my hoopla website. Maybe you have to switch it on in php. Oni file or you are doing something wrong so it doesn't work.
 
O

ogah

New member
marked, you can check it with small php script
PHP: 
<?pho phpinfo(); ?>
and you will see its enabled
 
M

marked

New member
So if my php file (hosted here on gigarank) includes the line:

include "remote_php_file";

should it be included in my code or not?

As in, what php settings should be turned on at this server (gigarank) and which settings need to be turned on at the remote server to successfully include the remote file in my gigarank file code?

Plus, can every member (here at gigarank) change the php settings for his account or is set of global settings implemented for all users (which of course, cannot be changed by any normal hosted member)?

Update:

I searched the instructions in some detail and found out that it's not allow_url_fopen which I am concerned with here but it is actually allow_url_include (which is turned off) which is not allowing me to include remote code in my script. :undecided:

I think I would need to have allow_url_include turned on here at gigarank and allow_url_fopen turned on at the remote server to have my code on gigarank successfully include remote code on the server. :wacko:

Is that right, pros?
 
GigaGreg

GigaGreg

Moderator
Staff member
Yes you are right Marked, but our Tech Admin would have to check if this would be safe for everyone as we are using shared resources for free webhosting. @"un4saken"
 
un4saken

un4saken

Administrator
I'm sorry but we can't allow users to include remote php files in their scripts. This would be the end of the world, lol.
 
M

marked

New member
I have no complaints about it as all of programming and security techs are telling me that allow_url_include is a very serious security vulnerability. Also no other free hosting service has that directive turned on at their servers. So I accept it as the norm.

I simply do not want to keep all my php code in one place because I am apprehensive about code theft. That is why I have broken my php code into multiple files and hosted them on different servers. Otherwise, all the files I want to import are created by myself and define some functions and variable values.

Anyhow, seeing that including remote files that way is not an option (and probably will never be an option), how can I have all my code in one place and secure it from possible code theft?

I am being so paranoid because in the past I have had some of my js code stolen and some admins on a free host who apparently wanted to "check" my code for security breaches were somehow tempted to take bits and pieces off of it for their own projects once they determined it does not incur any security breach.

p.s. Thanks to GigaGreg and un4saken for the swift response on my query. You guys are real good and quick in responding to support questions :clapping: :cool::angel:
 
O

ogah

New member
maybe all shared hosting have disabled allow_url_include, not only gigarank.
if you want enable that function you must use vps or dedicated server
 
You must log in or register to reply here.