PHP 4 is now becoming less used across the Internet, and instead being switched out with newer versions such as PHP 5. There have been many modifications that have been done under the hood, so to speak, and specifically webmasters will notice that they will have to find a new syntax in order to include remote files into a webpage.
Templates are usually the benefactors of including a remote file, as it makes it incredibly easy to read the resulting code and cuts down on bulk. PHP4 allowed developers limitless use of the include function in which to accomplish this, but PHP 5 is less lenient due to what is called an XSS attack, or cross-site scripting attacks. As a result, developers now have to learn new methods in including remote files.
What is really scary about an XSS attack is that it can enslave a server into doing the evil bidding of hackers all around the world, and without the administrator knowing a single thing. XSS attacks have been known to be the backbone of direct denial of service attacks, and some even act as proxies for sending out spam mail. In both instances, an administrator may be in trouble for something they didn't do.
The configuration command we are referencing here is "allow_url_fopen." When functioning as a default installation, PHP 4 will allow this configuration to be on, while PHP 5 will default it as off. It essentially shuts down absolute file paths for PHP 5 users, so there is more emphasis on using relative paths. Don't fret, relative paths are just as easy to use and more secure.
Another method of using the include function in PHP 5 is to simply call the server's own base directory for calling files. This way the same syntax can be observed. The server variable for this base directory, "$_Server['document_root']," takes the place of the webmaster's domain name when including a file. Using this server variable, in effect, allows webmasters to still use absolute paths in their include functions. This is useful for bypassing changing all include functions to accommodate for relative paths.
For webmasters who don't like change, the urge to turn the setting back on is probably undeniable. But it is urged that webmasters keep this setting off to avoid the most common XSS attacks, as encouraged by the PHP community who thought it was serious enough of a problem to change its default behavior. Instead, learn to use the new syntax or workaround and keep your server secure, your users happy, and your troubles minimal.
Final Thoughts
PHP 4 is slowly fading into the background as new standards are accepted and put into use. PHP 5 is going to continue in popularity, and the good news is XSS attacks will downsize considerably along the way as a result.
Templates are usually the benefactors of including a remote file, as it makes it incredibly easy to read the resulting code and cuts down on bulk. PHP4 allowed developers limitless use of the include function in which to accomplish this, but PHP 5 is less lenient due to what is called an XSS attack, or cross-site scripting attacks. As a result, developers now have to learn new methods in including remote files.
What is really scary about an XSS attack is that it can enslave a server into doing the evil bidding of hackers all around the world, and without the administrator knowing a single thing. XSS attacks have been known to be the backbone of direct denial of service attacks, and some even act as proxies for sending out spam mail. In both instances, an administrator may be in trouble for something they didn't do.
The configuration command we are referencing here is "allow_url_fopen." When functioning as a default installation, PHP 4 will allow this configuration to be on, while PHP 5 will default it as off. It essentially shuts down absolute file paths for PHP 5 users, so there is more emphasis on using relative paths. Don't fret, relative paths are just as easy to use and more secure.
Another method of using the include function in PHP 5 is to simply call the server's own base directory for calling files. This way the same syntax can be observed. The server variable for this base directory, "$_Server['document_root']," takes the place of the webmaster's domain name when including a file. Using this server variable, in effect, allows webmasters to still use absolute paths in their include functions. This is useful for bypassing changing all include functions to accommodate for relative paths.
For webmasters who don't like change, the urge to turn the setting back on is probably undeniable. But it is urged that webmasters keep this setting off to avoid the most common XSS attacks, as encouraged by the PHP community who thought it was serious enough of a problem to change its default behavior. Instead, learn to use the new syntax or workaround and keep your server secure, your users happy, and your troubles minimal.
Final Thoughts
PHP 4 is slowly fading into the background as new standards are accepted and put into use. PHP 5 is going to continue in popularity, and the good news is XSS attacks will downsize considerably along the way as a result.
About the Author:
Learn more on allow url fopen and url file access is disabled in the server configuration in.
Posts
0 comments:
Post a Comment