Test DescriptionThis test checks to see if allow_url_include is enabled. Note that this setting is only available since PHP 5.2, so the test will not run if you have an older verion.
Security ImplicationsIf disabled, allow_url_include bars remote file access via the
requirestatements, but leaves it available for other file functions like
requireare the most common attack points for code injection attempts, so this setting plugs that particular hole without affecting the remote file access capabilities of the standard file functions.
Note that at this point we still recommend disabling allow_url_fopen as well, but developers who are confident in their secure coding practices may want to leave allow_url_fopen enabled.
By default, allow_url_include is disabled. If allow_url_fopen is disabled, allow_url_include is also disabled.
RecommendationsBy default, allow_url_include is disabled. We strongly recommend keeping it disabled.
You can disable allow_url_include in the php.ini file:
; Disable allow_url_include for security reasons allow_url_include = 'off'The setting can also be disabled in apache's httpd.conf file:
# Disable allow_url_include for security reasons php_flag allow_url_include offFor remote file access, consider using the cURL functions that PHP provides.