PHP 4 is now becoming less used across the Internet, and instead being switched out with newer versions such as PHP 5. There have been many modifications that have been done under the hood, so to speak, and specifically webmasters will notice that they will have to find a new syntax in order to include remote files into a webpage.
Templates are usually the benefactors of including a remote file, as it makes it incredibly easy to read the resulting code and cuts down on bulk. PHP4 allowed developers limitless use of the include function in which to accomplish this, but PHP 5 is less lenient due to what is called an XSS attack, or cross-site scripting attacks. As a result, developers now have to learn new methods in including remote files.
An XSS attack will seek to inject code into a webmaster's website and attempt to run it. By using the normal include function that PHP 4 allowed for, this means that an attacker could easily include files from another server located anywhere in the world. In doing so, servers could become "zombies" that could spam or attack other websites and users at will, all without the webmaster knowing.
The configuration command we are referencing here is "allow_url_fopen." When functioning as a default installation, PHP 4 will allow this configuration to be on, while PHP 5 will default it as off. It essentially shuts down absolute file paths for PHP 5 users, so there is more emphasis on using relative paths. Don't fret, relative paths are just as easy to use and more secure.
Another method of using the include function in PHP 5 is to simply call the server's own base directory for calling files. This way the same syntax can be observed. The server variable for this base directory, "$_Server['document_root']," takes the place of the webmaster's domain name when including a file. Using this server variable, in effect, allows webmasters to still use absolute paths in their include functions. This is useful for bypassing changing all include functions to accommodate for relative paths.
It is recommended that the "allow_url_fopen" command be kept off, even though it could be easily changed in the server configuration if access to the server is granted. If for some reason there is no possible way to keep this configuration setting off, there should be more focus on sanitizing any input a user on a website might have into a database or variable. After all, web servers got along fairly fine with the setting defaulted to on in PHP 4.
Closing Comments
PHP 4 is slowly fading into the background as new standards are accepted and put into use. PHP 5 is going to continue in popularity, and the good news is XSS attacks will downsize considerably along the way as a result. - 16928
Templates are usually the benefactors of including a remote file, as it makes it incredibly easy to read the resulting code and cuts down on bulk. PHP4 allowed developers limitless use of the include function in which to accomplish this, but PHP 5 is less lenient due to what is called an XSS attack, or cross-site scripting attacks. As a result, developers now have to learn new methods in including remote files.
An XSS attack will seek to inject code into a webmaster's website and attempt to run it. By using the normal include function that PHP 4 allowed for, this means that an attacker could easily include files from another server located anywhere in the world. In doing so, servers could become "zombies" that could spam or attack other websites and users at will, all without the webmaster knowing.
The configuration command we are referencing here is "allow_url_fopen." When functioning as a default installation, PHP 4 will allow this configuration to be on, while PHP 5 will default it as off. It essentially shuts down absolute file paths for PHP 5 users, so there is more emphasis on using relative paths. Don't fret, relative paths are just as easy to use and more secure.
Another method of using the include function in PHP 5 is to simply call the server's own base directory for calling files. This way the same syntax can be observed. The server variable for this base directory, "$_Server['document_root']," takes the place of the webmaster's domain name when including a file. Using this server variable, in effect, allows webmasters to still use absolute paths in their include functions. This is useful for bypassing changing all include functions to accommodate for relative paths.
It is recommended that the "allow_url_fopen" command be kept off, even though it could be easily changed in the server configuration if access to the server is granted. If for some reason there is no possible way to keep this configuration setting off, there should be more focus on sanitizing any input a user on a website might have into a database or variable. After all, web servers got along fairly fine with the setting defaulted to on in PHP 4.
Closing Comments
PHP 4 is slowly fading into the background as new standards are accepted and put into use. PHP 5 is going to continue in popularity, and the good news is XSS attacks will downsize considerably along the way as a result. - 16928
About the Author:
Learn more on url file access is disabled in the server configuration lunarpages and url file access is disabled in the server configuration dreamhost.
No comments:
Post a Comment