- Nhận đường liên kết
- Ứng dụng khác
- Nhận đường liên kết
- Ứng dụng khác
Here is some great geeky information given by network solutions customer service to one of my clients, who passed it on to me. Since my servers have similar security standards, I frequently refer to the code examples and solutions illustrated below.
For security reasons (to prevent “PHP include” hacker attacks), some servers set the allow_url_fopen and allow_url_include PHP directives to off. If you see errors similar to the following on your website, then your website (or software you have installed on your website) uses insecure PHP calls.
Common Errors
Warning: fopen() [function.fopen]: URL file-access is disabled in the server configuration in /……../ on line (..)
Warning: file_get_contents() [function.file-get-contents]: URL file-access is disabled in the server configuration in in /……../ on line (..)
Warning: include() [function.include]: URL file-access is disabled in the server configuration in /……../ on line (..)
Warning: getimagesize() [function.getimagesize]: URL file-access is disabled in the server configuration in in /……../ on line (..)
Warning: readfile() [function.readfile]: URL file-access is disabled in the server configuration in in /……../ on line (..)
Solution
WordPress / Joomla / Drupal Software: These applications do not use functions that require allow_url_fopen or allow_url_include to be turned on. However, certain third party plugins may require changes. If you see any of the errors above, try to isolate which plugin is causing the issue and replace it with an alternative plugin. You should also consider reporting the issue to the plugin developer so that they may fix it in an upcoming release. Alternatively, you can check out some of the examples below and attempt to fix the errors yourself.
Note: Do not attempt to fix issues yourself if you do not have prior software development experience. If the below does not make sense, you should consult with your web professional.
The errors above manifest themselves when your website is attempting to retrieve outside web URLs. The solution is to use the PHP Curl library to do so instead, which is more secure. How you use PHP ‘s Curl library to circumvent this issue depends on which warning you’ve received.
Example 1: Warning: fopen() [function.fopen]:
$file = “http://news.google.com/news?ned=us&topic=h&output=rss”;
$xml_parser = xml_parser_create();
xml_set_element_handler($xml_parser, “startElement”, “endElement”);
xml_set_character_data_handler($xml_parser, “characterData”);
if (!($fp = fopen($file, “r”))) {
die(“could not open XML input”);
}
while ($data = fread($fp, 4096)) {
if (!xml_parse($xml_parser, $data, feof($fp))) {
die(sprintf(“XML error: %s at line %d”,
xml_error_string(xml_get_error_code($xml_parser)),
xml_get_current_line_number($xml_parser)));
}
}
In the above example, an attempt to open a Google RSS feed is being made. The fopen() call will fail because $file is an outside web site, and the rest of the code will not be executed. To properly load the RSS feed and parse, this snipit of code would need to be rewritten as follows:
$xml_parser = xml_parser_create();
xml_set_element_handler($xml_parser, “startElement”, “endElement”);
xml_set_character_data_handler($xml_parser, “characterData”);
$file = “http://news.google.com/news?ned=us&topic=h&output=rss”;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $file);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$xmldata = curl_exec($ch);
curl_close($ch);
$xmldata = split(“\n”,$xmldata);
foreach ($xmldata as $data) {
if (!xml_parse($xml_parser, $data)) {
die(sprintf(“XML error: %s at line %d”,
xml_error_string(xml_get_error_code($xml_parser)),
xml_get_current_line_number($xml_parser)));
}
}
Example 2: Warning: file_get_contents() [function.file-get-contents]:
<?php
$contents = file_get_contents(‘http://www.cnn.com/’);
echo $contents;
?>
In the above example, the file_get_contents function is used to retrieve the content of the CNN website. You can accomplish the same thing safely using CURL as follows:
<?php
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, ‘http://www.cnn.com’);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$contents = curl_exec($ch);
curl_close($ch);
// display file
echo $contents;
?>
Example 3: Warning: include() [function.include]:
Including files from web hosts is not allowed.
<? php include(“http://www.example.com/new.php”); ?>
If the file that you are trying to include is local, use relative paths instead , not the web URL. Otherwise, use the following:
<?php
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, ‘http://www.example.com/mew.php’);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$contents = curl_exec($ch);
curl_close($ch);
// display file
echo $file_contents;
?>
Example 4: Warning: getimagesize() [function.getimagesize]:
getimagesize() allows you to get the height, width and size of an image file. To use getimagesize() safely, CURL can be used to get the remote file, the data can be saved to a local temporary image file and getimagesize() can be used on the local version.
<php
$filename = “http://www.example.com/example.jpg”;
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, $filename);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$contents = curl_exec($ch);
curl_close($ch);
$new_image = ImageCreateFromString($contents);
imagejpeg($new_image, “temp.jpg”,100);
$size = getimagesize(“temp.jpg”);
// width and height
$width = $size[0];
$height = $size[1];
Example 5: Warning: readfile() [function.readfile]:
<?php
$contents = readfile(‘http://www.example.com/some.txt’);
echo $contents;
?>
In the above example, the readfile function is used to retrieve the content of a remote text file. You can accomplish the same thing safely using CURL as follows:
<?php
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, ‘http://www.example.com/some.txt’);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$contents = curl_exec($ch);
curl_close($ch);
// display file
echo $contents;
?>
The above examples are not guaranteed to run without changes, they are strictly guidance to illustrate how to safely retrieve off-site content.
- See more at: http://goffgrafix.com/blog/index.php/2010/04/if-your-server-sets-the-allow_url_fopen-and-allow_url_include-php-directives-off/#sthash.oWm25AA4.dpuf
For security reasons (to prevent “PHP include” hacker attacks), some servers set the allow_url_fopen and allow_url_include PHP directives to off. If you see errors similar to the following on your website, then your website (or software you have installed on your website) uses insecure PHP calls.
Common Errors
Warning: fopen() [function.fopen]: URL file-access is disabled in the server configuration in /……../ on line (..)
Warning: file_get_contents() [function.file-get-contents]: URL file-access is disabled in the server configuration in in /……../ on line (..)
Warning: include() [function.include]: URL file-access is disabled in the server configuration in /……../ on line (..)
Warning: getimagesize() [function.getimagesize]: URL file-access is disabled in the server configuration in in /……../ on line (..)
Warning: readfile() [function.readfile]: URL file-access is disabled in the server configuration in in /……../ on line (..)
Solution
WordPress / Joomla / Drupal Software: These applications do not use functions that require allow_url_fopen or allow_url_include to be turned on. However, certain third party plugins may require changes. If you see any of the errors above, try to isolate which plugin is causing the issue and replace it with an alternative plugin. You should also consider reporting the issue to the plugin developer so that they may fix it in an upcoming release. Alternatively, you can check out some of the examples below and attempt to fix the errors yourself.
Note: Do not attempt to fix issues yourself if you do not have prior software development experience. If the below does not make sense, you should consult with your web professional.
The errors above manifest themselves when your website is attempting to retrieve outside web URLs. The solution is to use the PHP Curl library to do so instead, which is more secure. How you use PHP ‘s Curl library to circumvent this issue depends on which warning you’ve received.
Example 1: Warning: fopen() [function.fopen]:
$file = “http://news.google.com/news?ned=us&topic=h&output=rss”;
$xml_parser = xml_parser_create();
xml_set_element_handler($xml_parser, “startElement”, “endElement”);
xml_set_character_data_handler($xml_parser, “characterData”);
if (!($fp = fopen($file, “r”))) {
die(“could not open XML input”);
}
while ($data = fread($fp, 4096)) {
if (!xml_parse($xml_parser, $data, feof($fp))) {
die(sprintf(“XML error: %s at line %d”,
xml_error_string(xml_get_error_code($xml_parser)),
xml_get_current_line_number($xml_parser)));
}
}
In the above example, an attempt to open a Google RSS feed is being made. The fopen() call will fail because $file is an outside web site, and the rest of the code will not be executed. To properly load the RSS feed and parse, this snipit of code would need to be rewritten as follows:
$xml_parser = xml_parser_create();
xml_set_element_handler($xml_parser, “startElement”, “endElement”);
xml_set_character_data_handler($xml_parser, “characterData”);
$file = “http://news.google.com/news?ned=us&topic=h&output=rss”;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $file);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$xmldata = curl_exec($ch);
curl_close($ch);
$xmldata = split(“\n”,$xmldata);
foreach ($xmldata as $data) {
if (!xml_parse($xml_parser, $data)) {
die(sprintf(“XML error: %s at line %d”,
xml_error_string(xml_get_error_code($xml_parser)),
xml_get_current_line_number($xml_parser)));
}
}
Example 2: Warning: file_get_contents() [function.file-get-contents]:
<?php
$contents = file_get_contents(‘http://www.cnn.com/’);
echo $contents;
?>
In the above example, the file_get_contents function is used to retrieve the content of the CNN website. You can accomplish the same thing safely using CURL as follows:
<?php
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, ‘http://www.cnn.com’);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$contents = curl_exec($ch);
curl_close($ch);
// display file
echo $contents;
?>
Example 3: Warning: include() [function.include]:
Including files from web hosts is not allowed.
<? php include(“http://www.example.com/new.php”); ?>
If the file that you are trying to include is local, use relative paths instead , not the web URL. Otherwise, use the following:
<?php
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, ‘http://www.example.com/mew.php’);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$contents = curl_exec($ch);
curl_close($ch);
// display file
echo $file_contents;
?>
Example 4: Warning: getimagesize() [function.getimagesize]:
getimagesize() allows you to get the height, width and size of an image file. To use getimagesize() safely, CURL can be used to get the remote file, the data can be saved to a local temporary image file and getimagesize() can be used on the local version.
<php
$filename = “http://www.example.com/example.jpg”;
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, $filename);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$contents = curl_exec($ch);
curl_close($ch);
$new_image = ImageCreateFromString($contents);
imagejpeg($new_image, “temp.jpg”,100);
$size = getimagesize(“temp.jpg”);
// width and height
$width = $size[0];
$height = $size[1];
Example 5: Warning: readfile() [function.readfile]:
<?php
$contents = readfile(‘http://www.example.com/some.txt’);
echo $contents;
?>
In the above example, the readfile function is used to retrieve the content of a remote text file. You can accomplish the same thing safely using CURL as follows:
<?php
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, ‘http://www.example.com/some.txt’);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
$contents = curl_exec($ch);
curl_close($ch);
// display file
echo $contents;
?>
The above examples are not guaranteed to run without changes, they are strictly guidance to illustrate how to safely retrieve off-site content.
- See more at: http://goffgrafix.com/blog/index.php/2010/04/if-your-server-sets-the-allow_url_fopen-and-allow_url_include-php-directives-off/#sthash.oWm25AA4.dpuf
Nhận xét
Đăng nhận xét