Please don’t use file to access remote urls.
Can i suggest that we don’t use the file or fopen functions to open remote urls? This is pretty much a security hole just waiting to happen. In fact, I’ve turned off allow_url_fopen to prevent such evil.
If someone has register_globals on, there’s precious little stopping someone from redefining the variable containing the remote URL with something pleasantly malicious, or changing the url and turning every instance of b2 into a DOS bot, or stealing cookies by displaying theft code,etc, etc, etc.
Instead I’d suggest using curl or the like to safely fetch remote content.
$file = safeUrlFetch($weblogs_xml_url);
## Safer way to fetch remote data. Less likely for someone to go and
## pass in a variable named $weblogs_xml_url.
#check that the url begins with ‘http’
$remoteUrl = strstr($remoteUrl,’http’);
# It’s invalid, no soup for you.
# fetch the data into a buffer
$ch = curl_init($remoteUrl);
$rawData = curl_exec($ch);
# and split the data on new lines to behave like file()
Granted, someone could still find some exploit with the result code, but at least this would work on sites as paranoid as I am.
- The topic ‘Please don’t use file to access remote urls.’ is closed to new replies.