If your server sets the allow_url_fopen and allow_url_include PHP directives OFF

Here is some great geeky information given by network solutions customer service to one of my clients, who passed it on to me. Since my servers have similar security standards, I frequently refer to the code examples and solutions illustrated below.

For security reasons (to prevent “PHP include” hacker attacks),  some servers set the allow_url_fopen and allow_url_include PHP directives to off. If you see errors similar to the following on your website, then your website (or software you have installed on your website) uses insecure PHP calls.

Common Errors

Warning: fopen() [function.fopen]: URL file-access is disabled in the server configuration in /……../ on line (..)

Warning: file_get_contents() [function.file-get-contents]: URL file-access is disabled in the server configuration in in /……../ on line (..)

Warning: include() [function.include]: URL file-access is disabled in the server configuration in /……../ on line (..)

Warning: getimagesize() [function.getimagesize]: URL file-access is disabled in the server configuration in in /……../ on line (..)

Warning: readfile() [function.readfile]: URL file-access is disabled in the server configuration in in /……../ on line (..)

Solution

WordPress / Joomla / Drupal Software: These applications do not use functions that require allow_url_fopen or allow_url_include to be turned on. However, certain third party plugins may require changes. If you see any of the errors above, try to isolate which plugin is causing the issue and replace it with an alternative plugin. You should also consider reporting the issue to the plugin developer so that they may fix it in an upcoming release. Alternatively, you can check out some of the examples below and attempt to fix the errors yourself.

Note: Do not attempt to fix issues yourself if you do not have prior software development experience. If the below does not make sense, you should consult with your web professional.

The errors above manifest themselves when your website is attempting to retrieve outside web URLs. The solution is to use the PHP Curl library to do so instead, which is more secure. How you use PHP ‘s Curl library to circumvent this issue depends on which warning you’ve received.

Example 1: Warning: fopen() [function.fopen]:

$file = “http://news.google.com/news?ned=us&topic=h&output=rss”;

$xml_parser = xml_parser_create();
xml_set_element_handler($xml_parser, “startElement”, “endElement”);
xml_set_character_data_handler($xml_parser, “characterData”);

if (!($fp = fopen($file, “r”))) {
die(“could not open XML input”);
}

while ($data = fread($fp, 4096)) {
if (!xml_parse($xml_parser, $data, feof($fp))) {
die(sprintf(“XML error: %s at line %d”,
xml_error_string(xml_get_error_code($xml_parser)),
xml_get_current_line_number($xml_parser)));
}
}

In the above example, an attempt to open a Google RSS feed is being made. The fopen() call will fail because $file is an outside web site, and the rest of the code will not be executed. To properly load the RSS feed and parse, this snipit of code would need to be rewritten as follows:

$xml_parser = xml_parser_create();
xml_set_element_handler($xml_parser, “startElement”, “endElement”);
xml_set_character_data_handler($xml_parser, “characterData”);

$file = “http://news.google.com/news?ned=us&topic=h&output=rss”;

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $file);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$xmldata = curl_exec($ch);
curl_close($ch);

$xmldata = split(“\n”,$xmldata);

foreach ($xmldata as $data) {
if (!xml_parse($xml_parser, $data)) {
die(sprintf(“XML error: %s at line %d”,
xml_error_string(xml_get_error_code($xml_parser)),
xml_get_current_line_number($xml_parser)));
}
}

Example 2: Warning: file_get_contents() [function.file-get-contents]:

<?php

$contents = file_get_contents(‘http://www.cnn.com/’);

echo $contents;

?>

In the above example, the file_get_contents function is used to retrieve the content of the CNN website. You can accomplish the same thing safely using CURL as follows:

<?php

$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, ‘http://www.cnn.com’);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$contents = curl_exec($ch);
curl_close($ch);

// display file
echo $contents;
?>

Example 3: Warning: include() [function.include]:

Including files from web hosts is not allowed.

<? php include(“http://www.example.com/new.php”); ?>

If the file that you are trying to include is local, use relative paths instead , not the web URL. Otherwise, use the following:

<?php

$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, ‘http://www.example.com/mew.php’);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$contents = curl_exec($ch);
curl_close($ch);

// display file
echo $file_contents;
?>

Example 4: Warning: getimagesize() [function.getimagesize]:

getimagesize() allows you to get the height, width and size of an image file. To use getimagesize() safely, CURL can be used to get the remote file, the data can be saved to a local temporary image file and getimagesize() can be used on the local version.

<php

$filename = “http://www.example.com/example.jpg”;

$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, $filename);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);

$contents = curl_exec($ch);
curl_close($ch);

$new_image = ImageCreateFromString($contents);
imagejpeg($new_image, “temp.jpg”,100);

$size = getimagesize(“temp.jpg”);

// width and height

$width = $size[0];
$height = $size[1];

Example 5: Warning: readfile() [function.readfile]:

<?php

$contents = readfile(‘http://www.example.com/some.txt’);

echo $contents;

?>

In the above example, the readfile function is used to retrieve the content of a remote text file. You can accomplish the same thing safely using CURL as follows:

<?php

$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, ‘http://www.example.com/some.txt’);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$contents = curl_exec($ch);
curl_close($ch);

// display file
echo $contents;
?>

The above examples are not guaranteed to run without changes, they are strictly guidance to illustrate how to safely retrieve off-site content.

8 thoughts on “If your server sets the allow_url_fopen and allow_url_include PHP directives OFF

  1. sinu

    Thank you very much , really I am searching for this code.Now its successfully works in my server.
    Great !

  2. Pingback: Errores en tratamiento de ficheros en PHP | El Blog de Alex Borrás

  3. deniz

    Hiiiii
    i really thank you!
    i was so glad when i saw CURL codes here!
    story is this ..i publish an ajax code to my website but i get “internal server error 500″
    finally i understood problem is in my php.ini configuration..because i had used fopen function in my codes to use Google API…and when i saw allow_url_fopen is :off i called with host company and they told its off because of security problems!
    for nw i found ur page and my problem is solved! thank you so much!
    i follow ur posts on this blog always!…i m sure your codes will be more helpful for all programmers!
    good luck Goff!

  4. mauri

    hello
    WP gives an error using the function file_get_contents(filename.txt) to read a file text not an url website.
    Could you help me?
    thanks

  5. tarekitsme

    lately i added a new plugin and its requring me to ALLO_URL-FOPEN ,,,and i paid for this plugin,,,and its for Music,,,only,,so i guess there’s no threats from site like SOUNDCLOUD ,,,do u think i do better allow url or not ?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>