Publish Content

Although it has had a nice run, PHP 4 is now being replaced with versions such as PHP 5. This slow transition is become quicker as time continues, and web developers see the benefit of the upgrades and changes. One such change was made in how webmasters use the include function to add a remote file to their websites.

Remote files are often included into a webpage as a way to modularize and organize the code for webmasters. Included files make administering a website quick and painless, but with the switch from PHP 4, the syntax is going to change a little. This is due to the fact that cross-site scripting attacks, or XSS attacks, have become a serious threat to developers everywhere.

An XSS attack will seek to inject code into a webmaster’s website and attempt to run it. By using the normal include function that PHP 4 allowed for, this means that an attacker could easily include files from another server located anywhere in the world. In doing so, servers could become “zombies” that could spam or attack other websites and users at will, all without the webmaster knowing.

PHP 5 has fixed the problem by setting the PHP configuration “allow_url_fopen_ to “off” in the configuration file. This allows webmasters to still use the include function, but they can’t use absolute paths anymore. One way around this is to simply use relative paths instead, which are easier to type out and are a cinch to put into action.

Another method of using the include function in PHP 5 is to simply call the server’s own base directory for calling files. This way the same syntax can be observed. The server variable for this base directory, “$_Server['document_root'],” takes the place of the webmaster’s domain name when including a file. Using this server variable, in effect, allows webmasters to still use absolute paths in their include functions. This is useful for bypassing changing all include functions to accommodate for relative paths.

It is recommended that the “allow_url_fopen” command be kept off, even though it could be easily changed in the server configuration if access to the server is granted. If for some reason there is no possible way to keep this configuration setting off, there should be more focus on sanitizing any input a user on a website might have into a database or variable. After all, web servers got along fairly fine with the setting defaulted to on in PHP 4.

Final Thoughts

There isn’t much trouble in migrating to PHP 5, but webmasters will notice some errors here and there they will need to fix. An example is with the include function, given it isn’t being used according to how PHP 5 wills it to be.

Learn more about url file access is disabled in the server configuration dreamhost and php absolute file path.

This entry was posted on Thursday, January 29th, 2009 at 1:44 am and is filed under Computers, General, Reference And Education, Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.