PHP 4 is now becoming less used across the Internet, and instead being switched out with newer versions such as PHP 5. There have been many modifications that have been done under the hood, so to speak, and specifically webmasters will notice that they will have to find a new syntax in order to include remote files into a webpage.
Templates are usually the benefactors of including a remote file, as it makes it incredibly easy to read the resulting code and cuts down on bulk. PHP4 allowed developers limitless use of the include function in which to accomplish this, but PHP 5 is less lenient due to what is called an XSS attack, or cross-site scripting attacks. As a result, developers now have to learn new methods in including remote files.
What is really scary about an XSS attack is that it can enslave a server into doing the evil bidding of hackers all around the world, and without the administrator knowing a single thing. XSS attacks have been known to be the backbone of direct denial of service attacks, and some even act as proxies for sending out spam mail. In both instances, an administrator may be in trouble for something they didn’t do.
PHP 5 has fixed the problem by setting the PHP configuration “allow_url_fopen_ to “off” in the configuration file. This allows webmasters to still use the include function, but they can’t use absolute paths anymore. One way around this is to simply use relative paths instead, which are easier to type out and are a cinch to put into action.
There is still a way to use the include function like an absolute file path- with a server variable that finds the root path to the website on the server. By finding this, webmasters will be able to use absolute file paths that reside on their own server. The variable in question is referenced to as “$_Server['document_root'],” but keep in mind not all hosts allow for this variable to operate. If not, other workarounds may be necessary, such as using the “file_get_contents” function that is much like the include function.
It is recommended that the “allow_url_fopen” command be kept off, even though it could be easily changed in the server configuration if access to the server is granted. If for some reason there is no possible way to keep this configuration setting off, there should be more focus on sanitizing any input a user on a website might have into a database or variable. After all, web servers got along fairly fine with the setting defaulted to on in PHP 4.
Final Thoughts
PHP 4 is slowly fading into the background as new standards are accepted and put into use. PHP 5 is going to continue in popularity, and the good news is XSS attacks will downsize considerably along the way as a result.
Learn more about php file access error and php include error.