Is there a way to make an external website appear to be on your domain, perhaps by adding it to the end of your URL for example? Any technique at all?
Explain the security flaw in echo file_get_contents(‘http://www.google.com’);
Most of us turn off that ability in the php.ini for security reasons For if external resources are allowed to be read as files an attacker need only get this code to execute to pOwn you
Did you try using a frame or an iframe?
The PHP setting in question allows not only file_get_contents to grab external files, but allows include, require, include_once and require_once to do the same. The flaw is that those libraries are not built to filter incoming data for malicious attack. It’s a serious potential problem, and overall it’s simply safer to turn off the ability to open external resources and use cURL instead which does filter incoming data and is more secure as a result.
I understand what you’re saying, but I fail to see where the problem is considering there’s nothing being eval’d.
You aren’t evaling anything there - true. But say you turn that setting on and another script using register globals has this going on
If the hacker put in “http://my.attack.script.com” then they now own your machine. If the setting is turned off this particular hack fails.
Now I’m not a hacker, so I don’t know how many other ways that setting can be attacked. I just know it is insecure and should not be used at all. Use cURL.
Or go ahead and allow the server to include and use external resources. Your site, your choice. But just so everyone reading is clear, it’s not best practice. It’s the digital equivalent of playing with fire - do this sort of thing enough and you will get burned.