Should I allow 'allow_url_fopen' in PHP?

I think the answer comes down to how well you trust your developers to use the feature responsibly? Data from a external URL should be treated like any other untrusted input and as long as that is understood, what’s the big deal?

The way I see it is that if you treat your developers like children and never let them handle sharp things, then you’ll have developers who never learn the responsibility of writing secure code.

More Related Contents:

Warning about `$HTTP_RAW_POST_DATA` being deprecated
create ini file, write values in PHP
PHP Warning: Module already loaded in Unknown on line 0
Parse HTML as PHP
Stop script execution upon notice/warning
PHP files are downloaded by browser instead of processed by local dev server (MAMP)
How do I include a php.ini file in another php.ini file?
How to always use ignore-platform-reqs flag when running composer?
Pass PHP variable value into HTML label [closed]
Auto Increment ID’s of 4 digit
php nested while loop. Inner loop works only once [closed]
imagepng() expects parameter 1 to be resource [closed]
How to write this array in loop?
Can I bind an array to an IN() condition in a PDO query?
Setting Curl’s Timeout in PHP
Cannot modify header information – headers already sent by… WordPress Issue [duplicate]
PHP Accessing Parent Class Variable
How to read only 5 last line of the text file in PHP?
Remove empty tags from a XML with PHP
How can I send cookies using PHP curl in addition to CURLOPT_COOKIEFILE?
Is mysql_insert_id safe to use?
php validate integer
How to implement Content-Disposition: attachment?
dompdf character encoding UTF-8
PHP – Get key name of array value
How to prefix a positive number with plus sign in PHP
Guzzle 6: no more json() method for responses
PHP Multiple Curl Requests
Interpreting return value of function directly as an array
How to implement a bitmask in php?

Should I allow ‘allow_url_fopen’ in PHP?

Leave a Comment Cancel reply