I thought Curl was bound by the same limitations when allow_url_fopen was disabled?
Though it makes sense with the name. I figured that it simply disabled all remote-file grabbing.
I’ve had my site on DreamHost for a while. I used to have includes with absolute URLs (for my own feed on different depth pages) and they worked fine. Then DreamHost decided that for security allow_url_fopen would be disabled. My includes broke so I changed to cURL. DreamHost has since re-enabled allow_url_fopen but with PHP 5.2+ they now have allow_url_include disabled. So fopen(), file_get_contents() etc. will work with absolute URLs but include and require won’t.
I’m not a hacker so I don’t know how something would be crafted - I think it has to do with dynamically created include lines. But it most definately has a lot to do with improperly validated/filtered user supplied input.
So I think cURL is independent of allow_url_fopen, but it does require that cURL be enabled of course. Not sure why it would be more secure, but I imagine it’s because cURL code tends to be more verbose and more deliberate than the comparitively simple fopen() code.
If it’s for your own feed on your own server than using a relative URL should work just fine. AFAIK it’s the “http://” that triggers the file wrapper needing to be allowed. And you should know if your own feed is malicious or not 
Although getting in the habit of validating and filtering content is not a bad thing IMHO even for only your own.
As for permissions, I’m thinking 600 (user read write) might work and if not I don’t see why 700 wouldn’t be enough. Why would group or other need to access that folder? Seems the script is the only thing that really needs to.
No, its usually higher up in the server’s hierarchy.
Try contacting your hosting provider to see if you can change allow_url_fopen.
Jake, is the PHP.ini file usually located in the root of my server?
or where is it usually located?
The PHP configuration is stored in a PHP.ini file.
If you have access to it, change a setting in there called allow_url_fopen to true, rather than false.
If not… you may not have much luck. I can’t be certain here, but I’m guessing that url fopen is disabled meaning the server won’t read any external file.
Regarding the php.ini file
I am now pretty sure that I do not have access to this as it is being hosted on a company’s server, the hosting-company is 1&1 and the highest up I can go in the hierarchy is my site’s root dir
With the allow_url_fopen to false this means that the feed can not access external files because the feed uses PHP and apache which is running on my server right?
The reason I can access alternate javascript library, like jQuery, is probably because html and js are client-side languages and do not involve the server as PHP does right?
However, I plan to use this to interpret my RSS feed, which is on my blog on my server. So If I changed the RSS feed link in rss.php to the rss feed on my server should it work?
Regarding the permission to 777, I noticed this as I usually see that the highest need and safe is 755 .
I am not sure that this every script is secure.
Also what is an XSS attack, I am guessing that is bad?
Thanks for replying and I hope we can get this working
Hope to hear form you soon and Thanks in advance!
Regards,
Team 1504
Thanks for replying so soon.
[QUOTE][/QUOTE]
Do u mean remote file access is not allowed on the installations of the script on my server? So it can not access an rss feed that is on a different server?
And if this is the problem how can I change it, like is it a file permission’s problem or can It only parse an rss feed on my server?
by editing PHP configuration do u mean changing the file permissions? Otherwise, what is it? So that I can check if I can change it I believe I should be allowed to do.
I am not editing the script on their server, I am a external coder they asked to get their script working. So I do not have a login or access to their server that is why they emailed me the zip so I could have all the files.
I hope I explained and answered your question about my issue correctly. 
Hope to hear from you soon
Chances are that remote file access isn’t allowed on your server configuration.
Are you on a server which allows editing of the PHP configuration?
Good question. I’ve never tried “friendly URLs” in include statements. My guess is you need to point to the file that the rewrite points to. I don’t think the PHP parser goes through the server (i.e. makes an HTTP request) for relative paths and therefore won’t recognize it. But you could try it and see I suppose.