How to prevent including remote server file or shared server file?
https://stackoverflow.com/questions/12294547
-
30-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am using Xampp server on my system and by twiking some PHP.INI settings on Xampp server of my system just discoverd that I can include my php files from my remotely hosted site. Although I could not able to access the variable on remote file however I am still scared that a professional hacker can access those variables. I am scared because url shows the path of the file. I know I can hide the extention of the file using .htaccess but still anyone can guess these file type because there are only few types of server side scripts mostly used by webdevelopers. Please let me know if there is any way to prevent including my server files on remote server or the servers which runs on the same server where my site resides or there is nothing to worry about.
Solution
In php.ini disable url include like this
allow_url_include = Off
OTHER TIPS
allow_url_include = On
What this option does is to allow you to write code like this:
include 'http://example.com/foo.php';
It does not allow other people to include files which are on your server.
Your fears are entirely baseless.
Any .php file on your server will always be executed by Apache when somebody accesses them through a URL. Nobody can see your source code just like that. (Assuming Apache is not broken or severely misconfigured.)
PS: allow_url_include should be turned off anyway. It's a bad idea.
