How do I set allow_url_include to On Print

  • 0

The PHP setting allow_url_include is disabled on all Hawk Host servers and for the protection of our users is a setting we do not allow to be overridden through our PHP selector's setting system. The allow_url_include directive is by default disabled in PHP and as of PHP 7.4 is deprecated and will produce an error when enabled.

The allow_url_include directive makes the functions include, include_once, require and require_once URL aware which has major security implications. When used it will execute anything remotely as PHP which means if you're including a remote website it could easily injection PHP code into your website. This capability also is frequently used in malicious files and exploits within software. Here are some examples of it being used and alternative methods so that you do not need this setting:

The developer needs to include additional PHP files within their index.php of the website uses:

<php include(""); ?>

This can alternatively be written as:

<php include("includes/header.php"); ?>

This is not only safe but quicker than remotely visiting your website for the header contents.

There may also be cases where it's being used to add external content from another website and may look like this:

<?php include(""); ?>

You could alternatively write this as:

<?php print file_get_contents(""); ?> ?>

Keep in mind however printing contents from a remote website can be dangerous for website visitors as it could contain malicious html/javascript code but this will not execute PHP code which makes it safer for your website.

If you have third party applications and developers still insisting it is necessary to turn allow_url_include on we recommend linking them to this article and many others on the internet which discuss how dangerous allow_url_include on is.

Was this answer helpful?

« Back

Ready to get started? Build your site from