How to Check If Allow_Url_Fopen Is Enabled or Not

How to check if allow_url_fopen is enabled or not

Use ini_get() (docs) to get the value of certain configuration parameters:

if( \filter_var( \ini_get('allow_url_fopen'), \FILTER_VALIDATE_BOOLEAN ) ) {
   // lucky me...
} 

allow_url_fopen is on but phpinfo says off

I was able to find where allow_url_fopen was switched off inside of WHM by editing the "MultiPHP INI Editor" section. From there I selected PHP7. The first option it gave me to to enable allow_url_fopen. This fixed my error.

I couldn't find where allow_url_fopen was disabled at all through SSH. I guess it is because I didn't understand the upgrade procedure from PHP5 to PHP7 and that I had PHP7 enabled only per account through cPanel though Root apeared to be still using PHP5 for php.ini.

Should I allow 'allow_url_fopen' in PHP?

You definitely want allow_url_include set to Off, which mitigates many of the risks of allow_url_fopen as well.

But because not all versions of PHP have allow_url_include, best practice for many is to turn off fopen. Like with all features, the reality is that if you don't need it for your application, disable it. If you do need it, the curl module probably can do it better, and refactoring your application to use curl to disable allow_url_fopen may deter the least determined cracker.

Is allow_url_fopen safe?

This is just one reason why you may want allow_url_fopen set to 0

Let's say you allow users to enter a url, and you have your server fetch this url.

You might code something like this: - YOU SHOULD NOT CODE THIS -

echo file_get_contents($_POST['url']);

Problem is that there is a security issue here. Somebody could pass a file path instead of a url and have access to your server's files.

For example, somebody might pass /etc/passwd as a url, and be able to view its contents.

Now, if allow_url_fopen were set to 0, you wouldn't be using file_get_contents to fetch URL's, you would be using CURL.

allow_url_fopen disabled on server

You tested for allow_url_open, not allow_url_fopen. Therefore, ini_get will return FALSE.

Also, have a look at the documentation. It returns a string ("1" or "0"), and only the boolean FALSE if that option does not exist.

Server configuration by allow_url_fopen=0 in

If you do not have the ability to modify your php.ini file, use cURL:
PHP Curl And Cookies

Here is an example function I created:

function get_web_page( $url, $cookiesIn = '' ){
        $options = array(
            CURLOPT_RETURNTRANSFER => true,     // return web page
            CURLOPT_HEADER         => true,     //return headers in addition to content
            CURLOPT_FOLLOWLOCATION => true,     // follow redirects
            CURLOPT_ENCODING       => "",       // handle all encodings
            CURLOPT_AUTOREFERER    => true,     // set referer on redirect
            CURLOPT_CONNECTTIMEOUT => 120,      // timeout on connect
            CURLOPT_TIMEOUT        => 120,      // timeout on response
            CURLOPT_MAXREDIRS      => 10,       // stop after 10 redirects
            CURLINFO_HEADER_OUT    => true,
            CURLOPT_SSL_VERIFYPEER => true,     // Validate SSL Cert
            CURLOPT_HTTP_VERSION   => CURL_HTTP_VERSION_1_1,
            CURLOPT_COOKIE         => $cookiesIn
        );

        $ch      = curl_init( $url );
        curl_setopt_array( $ch, $options );
        $rough_content = curl_exec( $ch );
        $err     = curl_errno( $ch );
        $errmsg  = curl_error( $ch );
        $header  = curl_getinfo( $ch );
        curl_close( $ch );

        $header_content = substr($rough_content, 0, $header['header_size']);
        $body_content = trim(str_replace($header_content, '', $rough_content));
        $pattern = "#Set-Cookie:\\s+(?<cookie>[^=]+=[^;]+)#m"; 
        preg_match_all($pattern, $header_content, $matches); 
        $cookiesOut = implode("; ", $matches['cookie']);

        $header['errno']   = $err;
        $header['errmsg']  = $errmsg;
        $header['headers']  = $header_content;
        $header['content'] = $body_content;
        $header['cookies'] = $cookiesOut;
    return $header;
}

NOTE: In revisiting this function I noticed that I had disabled SSL checks in this code. That is generally a BAD thing even though in my particular case the site I was using it on was local and was safe. As a result I've modified this code to have SSL checks on by default. If for some reason you need to change that, you can simply update the value for CURLOPT_SSL_VERIFYPEER, but I wanted the code to be secure by default if someone uses this.

alternate method if allow_url_fopen if off in php.ini file

Copying an uploaded file to another location on the web server should never involve an URL. Not sure what's going wrong here - I can't see an URL anywhere.

Anyway, you should use move_uploaded_file() for this, not copy(). Try whether that works better.

Also try using an absolute path instead of the relative album/.....

allow_url_fopen is on, still can't fetch data

try

ini_set("allow_url_fopen", 1);
if (ini_get("allow_url_fopen") == 1) {
echo "allow_url_fopen is ON";
} else {
echo "allow_url_fopen is OFF";
}
print ini_get("allow_url_fopen");  

or you can try a different method

function curl($url){
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL,$url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
    $return = curl_exec($ch);
    curl_close ($ch);
    return $return;
}
$string = curl('http://www.example.org/myfile.php'); 

Try to add this code to your .htaccess file:

php_value allow_url_fopen On

if using wamp php.ini are two folders C:\wamp\bin\apache\apacheVersion\bin and C:\wamp\bin\php\phpVersion so make setting allow_url_fopen=on in both files

---

Related Topics