Require_once and fopen in php security

Question

I have 1 file that i've implemented in PHP. Error that i get is

Warning: require_once(): http:// wrapper is disabled in the server configuration by allow_url_include=0 in /Applications/MAMP/htdocs/opencart/catalog/view/theme/default/template/payment/bank_transfer.tpl on line 13Warning:

Questions:

1. I know that i need to fix this by allowing allow_url_include=0, in php.ini.I'm using MAMP, i've searched all the folders in MAMP and MAMP Pro, but i didn't find any line, where i can set that value to 0. Do i add this line?

2. I've read LINK and i'm worried that there are some security issues with using require_once, fopen and absolute URL. Is there any security issues with using absolute URL and require_once?

3. How can i specify URL to the document? Currently it's www.example.com/opencart/admin/kzm/kzm.utils.php, i tried to use relative URL /opencart/admin/kzm/kzm.utils.php, but i didn't find the file. Am i doing it right?

bank_transfer.tpl:

<h2><?php echo $text_instruction; ?></h2>
    <div class="content">
          <p><?php echo $text_description; ?></p>
          <p><?php echo $bank; ?></p>
          <p><?php echo $text_payment; ?></p>
          <p><?php echo $orderIdKZM; ?></p>
          <p>
          <?php 
            echo $amountKZM; 
            $titleKZM = $titleKZM.$orderIdKZM; 
            echo '<br>';

            require_once('http://example.com/opencart/admin/kzm/kzm.utils.php');
            echo $titleKZM;
            echo '<br>';

            $merchantIdKZM = '10';
            $currencyKZM = 'KZT';
            $successUrlKZM = 'http://localhost:8888/opencart/admin/kzm/kzm_pay.php';
            $erroUrlKZM = 'http://www.google.com';

            $dateKZM = " ";
            $signstrKZM = " ";
            $verKZM = " ";
            echo $merchantIdKZM.'-'.$currencyKZM.'-'.$successUrlKZM.'-'.$erroUrlKZM.'-'.$dateKZM;

          ?></p>
    </div>
    <div class="buttons">
      <div class="right">
            <form action="/opencart/testkzm.php" method="get">
                <input type="hidden" name="merchantIdKZM" value="<?php echo $merchantIdKZM; ?>">
                <input type="hidden" name="orderIdKZM" value="<?php echo $orderIdKZM; ?>">
                <input type="hidden" name="amountKZM" value="<?php echo $amountKZM; ?>">
                <input type="hidden" name="currencyKZM" value="<?php echo $currencyKZM; ?>">
                <input type="hidden" name="successUrlKZM" value="<?php echo $successUrlKZM; ?>">
                <input type="hidden" name="errorUrlKZM" value="<?php echo $errorUrlKZM; ?>">
                <input type="hidden" name="signstrKZM" value="<?php echo $signstrKZM; ?>">
                <input type="hidden" name="verKZM"  value="<?php echo $verKZM; ?>">

                <input type="submit" value="<?php echo $button_confirm; ?>" id="button-confirm" class="button" />
            </form>
        </div>
    </div>

Answer 1

Changing allow_url_include=1 is not safe. It's set to disabled by default.

When I include something on the local machine I always use something like this so it can be ported across platforms. Hardcoding an include below the web root can lead to mandatory rewrites if you're on a shared hosting plan or if you don't control your server. Also this is more portable for a dev/production environment.

<?php

    require_once($_SERVER['DOCUMENT_ROOT'].'/opencart/admin/kzm/kzm.utils.php');

?>

If you need to get to another directory you can always do something like this:

<?php

    require_once($_SERVER['DOCUMENT_ROOT'].'/../website2_folder/opencart/admin/kzm/kzm.utils.php');

?>

Answer 2

You should give require_once() path relative to a filesystem, not site URL.

For example you have site http://example.com and scripts for this site located in /Applications/MAMP/htdocs/ directory. So, you should use require_once("/Applications/MAMP/htdocs/opencart/admin/kzm/kzm.utils.php"); instead of require_once('http://example.com/opencart/admin/kzm/kzm.utils.php');.

And no config modification is needed in that case.

Answer 3

1 and 2 questions i don't know

3) If php code which you want require is your current directory, try this:

require_once("kzm.utils.php");

If doesnt, use full path Example:

require_once("/var/www/opencart/kzm.utils.php);