我应该在 PHP 中允许 'allow_url_fopen' 吗?
我们有几个开发人员要求在我们的服务器上启用 allow_url_fopen.现在的标准是什么,如果 libcurl 被启用,真的有什么好的理由允许吗?
We have a couple of developers asking for allow_url_fopen to be enabled on our server. What's the norm these days and if libcurl is enabled is there really any good reason to allow?
环境为:Windows 2003、PHP 5.2.6、FastCGI
Environment is: Windows 2003, PHP 5.2.6, FastCGI
推荐答案
您肯定希望 allow_url_include 设置为 Off,这也降低了 allow_url_fopen 的许多风险.
You definitely want allow_url_include set to Off, which mitigates many of the risks of allow_url_fopen as well.
但是因为不是所有版本的 PHP 都有 allow_url_include,所以很多人的最佳做法是关闭 fopen.与所有功能一样,现实是如果您的应用程序不需要它,请禁用它.如果您确实需要它,curl 模块可能会做得更好,并且重构您的应用程序以使用 curl 来禁用 allow_url_fopen 可能会阻止最不确定的破解者.
But because not all versions of PHP have allow_url_include, best practice for many is to turn off fopen. Like with all features, the reality is that if you don't need it for your application, disable it. If you do need it, the curl module probably can do it better, and refactoring your application to use curl to disable allow_url_fopen may deter the least determined cracker.
相关文章