PHP 4 is now becoming less used across the Internet, and instead being switched out with newer versions such as PHP 5. There have been many modifications that have been done under the hood, so to speak, and specifically webmasters will notice that they will have to find a new syntax in order to include remote files into a webpage.

Remote files are often included into a webpage as a way to modularize and organize the code for webmasters. Included files make administering a website quick and painless, but with the switch from PHP 4, the syntax is going to change a little. This is due to the fact that cross-site scripting attacks, or XSS attacks, have become a serious threat to developers everywhere.

What is really scary about an XSS attack is that it can enslave a server into doing the evil bidding of hackers all around the world, and without the administrator knowing a single thing. XSS attacks have been known to be the backbone of direct denial of service attacks, and some even act as proxies for sending out spam mail. In both instances, an administrator may be in trouble for something they didn’t do.

XSS attacks function mostly because “allow_url_fopen” is set to on, which is the default setting in PHP 4. In PHP 5, however, the default setting is to turn it off. As a result, webmasters will not be able to include absolute paths without a little handy work. Instead, developers are urged to make use of relative file paths when including files.

Another method of using the include function in PHP 5 is to simply call the server’s own base directory for calling files. This way the same syntax can be observed. The server variable for this base directory, “$_Server['document_root'],” takes the place of the webmaster’s domain name when including a file. Using this server variable, in effect, allows webmasters to still use absolute paths in their include functions. This is useful for bypassing changing all include functions to accommodate for relative paths.

It is recommended that the “allow_url_fopen” command be kept off, even though it could be easily changed in the server configuration if access to the server is granted. If for some reason there is no possible way to keep this configuration setting off, there should be more focus on sanitizing any input a user on a website might have into a database or variable. After all, web servers got along fairly fine with the setting defaulted to on in PHP 4.

Closing Comments

PHP 4 is slowly fading into the background as new standards are accepted and put into use. PHP 5 is going to continue in popularity, and the good news is XSS attacks will downsize considerably along the way as a result.

Learn more about php include errors and file access disabled error php.