Security Implications
If enabled, allow_url_fopen allows PHP's file functions -- such as
file_get_contents()and theincludeandrequirestatements -- can retrieve data from remote locations, like an FTP or web site. Programmers frequently forget this and don't do proper input filtering when passing user-provided data to these functions, opening them up to code injection vulnerabilities. A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering.allow_url_fopen is off by default.
Recommendations
You should enable allow_url_fopen in the php.ini file:
; Disable allow_url_fopen for security reasons allow_url_fopen = 'on'The setting can also be enable in .htaccess file:
# Disable allow_url_fopen for security reasons php_flag allow_url_fopen onFor remote file access, consider using the cURL functions that PHP provides.
