The PHP option allow_url_include normally allows a programmer to include() a remote file (as PHP code) using a URL rather than a local file path. For security reasons, this feature should be disabled. If a script claims to require this feature, you should look into alternative software, as the use of this feature indicates serious design flaws.<\/p>\n
There are a number of reasons why URL includes should always be avoided:<\/p>\n
It’s insecure \u2013 if your application can be tricked into including content from a URL outside itself (and there are a number of common ways this can happen), an attacker can force your application to start running code from their own web site.<\/p>\n
It’s inefficient \u2013 if your PHP script includes content from a URL, then the web server must make HTTP requests to generate the page. This makes your page load much slower than necessary, especially if the site you’re loading content from is responding slowly.<\/p>\n
It’s unreliable, for the same reasons \u2013 if the web server you are loading content from occasionally fails to respond, your web site also sometimes fails to load properly.<\/p>\n
It’s usually unnecessary \u2013 in most cases, allow_url_include can be avoided either by including the content directly (if it is being loaded from a domain you host) or by loading and printing the content without evaluating it as PHP.<\/p>\n","protected":false},"excerpt":{"rendered":"
The PHP option allow_url_include normally allows a programmer to include() a remote file (as PHP code) using a URL rather than a local file path. For security reasons, this feature should be disabled. If a script claims to require this feature, you should look into alternative software, as the use of this feature indicates serious … Continue reading allow_url_include<\/span>