As Valette noted, Dreamhost finally shut off allow_url_fopen (this is the PHP option that allows you to do stupid things like “open(‘http://evilhacker.com’);” Oh sure, you may not intend to do that, but if you’ve got unassigned variables that’s exactly what you’re allowing folks to do).
This, undoubtedly has a great many folks in a tizzy, but needlessly so. You’ve got a FAR more powerful replacement readily available in PHP’s implementation of the curl library. This utterly amazing chunk of software gives you total and absolute control over your back end request.
Here’s an example. Let’s say that like Valette, you’ve got some remote site you’re scraping data from. In the old, nasty, evil, icky way you could do:
which would fetch the page into $buffer. But it would also hang your page for up to 30 seconds if http://example.com and God forbid they were to simply block robots and spiders from crawling their data.
Or God forbid the following:
Sure, that does get the contents of http://example.com, but it also tells your local machine to run whatever lurking evil crap may be in that page. What happens when example.com gets hacked and someone inserts a virus into the page? Bad things happen. Really bad things. Taste-testing electrical sockets, sorts of bad things. Picking up hitchhikers outside of penitentiaries and bringing them home for drinks and a gander at your collection of unlocked high power firearms, bad things.
Now, enter curl:
$curl_handle = curl_init();
// Where should we get the data?
curl_setopt ($curl_handle, CURLOPT_URL, 'http://example.com');
// This says not to dump it directly to the output stream, but instead
// have it return as a string.
curl_setopt ($curl_handle, CURLOPT_RETURNTRANSFER, 1);
// the following is optional, but you should consider setting it
// anyway. It prevents your page from hanging if the remote site is
curl_setopt ($curl_handle, CURLOPT_CONNECTTIMEOUT, 1);
// Now, YOU make the call.
$buffer = curl_exec($curl_handle);
// And tell it to shut down (when your done. You can always make more
// calls if you want.)
// This is where i'd probably do some extra checks on what i just got.
// Paranoia pays dividends.
Yeah, it’s a few more lines of code, but that’s what subroutines are for. Thing is, there are tons of options you can set that literally control every aspect of the call, plus, it’s far safer because you can only call out to a remote website explicitly. This means that when some hacker discovers an uninitialized variable that’s being used inside of your code, they can’t use it to load their own code and hijack your site.
(By the way, PLEASE add the following bit of code to your .htaccess file:
php_flag register_globals off
This will break packages like phpNuke, and (older copies of) ATP, but that’s good. It also means that the vunerabilities that those packages have are neutralized.
There, see? It’s not so bad after all.