Knowledgebase

How do I set allow_url_include to On

The PHP setting allow_url_include is disabled on all Hawk Host servers and for the protection of our users is a setting we do not allow to be overridden through our PHP selector's setting system. The allow_url_include directive is by default disabled in PHP and as of PHP 7.4 is deprecated and will produce an error when enabled.

The allow_url_include directive makes the functions include, include_once, require and require_once URL aware which has major security implications. When used it will execute anything remotely as PHP which means if you're including a remote website it could easily injection PHP code into your website. This capability also is frequently used in malicious files and exploits within software. Here are some examples of it being used and alternative methods so that you do not need this setting:

The developer needs to include additional PHP files within their index.php of the website uses:

<php include("http://mywebsite.com/includes/header.php"); ?>

This can alternatively be written as:

<php include("includes/header.php"); ?>

This is not only safe but quicker than remotely visiting your website for the header contents.

There may also be cases where it's being used to add external content from another website and may look like this:

<?php include("http://www.otherwebsite.com/scores.txt"); ?>

You could alternatively write this as:

<?php print file_get_contents("http://www.otherwebsite.com/scores.txt"); ?> ?>

Keep in mind however printing contents from a remote website can be dangerous for website visitors as it could contain malicious html/javascript code but this will not execute PHP code which makes it safer for your website.

If you have third party applications and developers still insisting it is necessary to turn allow_url_include on we recommend linking them to this article and many others on the internet which discuss how dangerous allow_url_include on is.

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Available Node.js Versions

We recommended all Node.js applications are created using our Setup Node.js Application...

Available Python Versions

We recommended all Python applications are created using our Setup Python Application interface....

Available Ruby Versions

We recommended all Ruby applications are created using our Setup Ruby Application interface. If...

Default permissions on folders and PHP files.

We currently run Litespeed Web Server which runs PHP as the user so files and folders should...

Do you support Ruby on Rails?

Yes we support Ruby On Rails and you can install and utilize many different versions of Ruby and...