I am using Xampp server on my system and by twiking some PHP.INI settings on Xampp server of my system just discoverd that I can include my php files from my remotely hosted site. Although I could not able to access the variable on remote file however I am still scared that a professional hacker can access those variables. I am scared because url shows the path of the file. I know I can hide the extention of the file using .htaccess but still anyone can guess these file type because there are only few types of server side scripts mostly used by webdevelopers. Please let me know if there is any way to prevent including my server files on remote server or the servers which runs on the same server where my site resides or there is nothing to worry about.
Asked
Active
Viewed 220 times
-1
-
Simply, don't do this. Then there is nothing to worry about. Put the ini settings back to their defaults, and forget they are there. – Leigh Sep 06 '12 at 07:04
2 Answers
1
In php.ini disable url include like this
allow_url_include = Off
WatsMyName
- 4,240
- 5
- 42
- 73
-
Yes, but this is already set Off on my remote server, I just turned it On at my system to access remote files. – Sk MiRaj Sep 06 '12 at 07:10
-
well turning this on your local machine wont hamper the remote server files if its turned off there. All that vulnerable is your local machine, So there is no point of worrying. – WatsMyName Sep 06 '12 at 07:12
-
1
allow_url_include = On
What this option does is to allow you to write code like this:
include 'http://example.com/foo.php';
It does not allow other people to include files which are on your server.
Your fears are entirely baseless.
Any .php file on your server will always be executed by Apache when somebody accesses them through a URL. Nobody can see your source code just like that. (Assuming Apache is not broken or severely misconfigured.)
PS: allow_url_include should be turned off anyway. It's a bad idea.
deceze
- 510,633
- 85
- 743
- 889