If allow_url_fopen is disabled in php.ini you can use CURL function for check file exist:
<?php
$ch = curl_init("http://www.example.com/favicon.ico");
curl_setopt($ch, CURLOPT_NOBODY, true);
curl_exec($ch);
$retcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
// $retcode >= 400 -> not found, $retcode = 200, found.
curl_close($ch);
?>
使用远程文件
只要在 php.ini 中启用 allow_url_fopen,就可以将 HTTP 和 FTP URL 与大多数以文件名作为参数的函数一起使用。此外,也可以在 include、include_once、require 及 require_once 语句中使用 URL(必须启用 allow_url_include)。PHP 协议支持的更多信息参见支持的协议和封装协议。
例如,可以用此打开远程 web 服务器上的文件,解析输出以获取所需数据,然后在数据库查询中使用该数据,或者网站其余部分相同的样式输出内容。
示例 #1 获取远程页面的标题
<?php
$file = fopen ("http://www.example.com/", "r");
if (!$file) {
echo "<p>Unable to open remote file.\n";
exit;
}
while (!feof ($file)) {
$line = fgets ($file, 1024);
/* 仅当标题跟标签在同一行时才有效 */
if (preg_match ("@\<title\>(.*)\</title\>@i", $line, $out)) {
$title = $out[1];
break;
}
}
fclose($file);
?>也可以在 FTP 服务器上写入文件(提供具有正确访问权限的用户身份连接)。只能使用此方法创建新文件;如果尝试覆盖已存在的文件,则调用 fopen() 将失败。
要以“anonymous”以外的用户名连接服务器,需要指明用户名(可能还有密码),例如“ftp://user:password@ftp.example.com/path/to/file”(当需要基础认证的
HTTP 协议访问远程文件时也可以使用相同的语法)。
示例 #2 将数据保存到远程服务器
<?php
$file = fopen ("ftp://ftp.example.com/incoming/outputfile", "w");
if (!$file) {
echo "<p>Unable to open remote file for writing.\n";
exit;
}
/* 这里写入数据。 */
fwrite ($file, $_SERVER['HTTP_USER_AGENT'] . "\n");
fclose ($file);
?>
注意:
或许可以从以上范例中了解到可以使用该技术写入远程日志文件。但不幸的是,这不起作用,因为如果如果远程文件已存在,调用 fopen() 将失败。要进行这样的分布式日志记录,应该参考 syslog()。
add a note
User Contributed Notes 4 notes
slva dot web dot sit at gmail dot com ¶
10 years ago
anon ¶
4 years ago
The following functions can't access external files if allow_url_fopen is disabled:
- fopen
- file_put_contents
- copy
I don't know if this is documented anywhere else, but I couldn't find it. Feel free to delete this post if so.
kalidass dot jst at gmail dot com ¶
8 years ago
public function get_url($request_url) {
$curl_handle = curl_init();
curl_setopt($curl_handle, CURLOPT_URL, $request_url);
curl_setopt($curl_handle, CURLOPT_CONNECTTIMEOUT, 0);
curl_setopt($curl_handle, CURLOPT_TIMEOUT, 0);
curl_setopt($curl_handle, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($curl_handle, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
curl_setopt($curl_handle, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl_handle, CURLOPT_RETURNTRANSFER, TRUE);
$JsonResponse = curl_exec($curl_handle);
$http_code = curl_getinfo($curl_handle);
return($JsonResponse);
}
get_url("http://www.example.com");
heck at fas dot harvard dot edu ¶
19 years ago
The previous post is part right, part wrong. It's part right because it's true that the php script will run on the remote server, if it's capable of interpreting php scripts. You can see this by creating this script on a remote machine:
<?php
echo system("hostname");
?>
Then include that in a php file on your local machine. When you view it in a browser, you'll see the hostname of the remote machine.
However, that does not mean there are no security worries here. Just try replacing the previous script with this one:
<?php
echo "<?php system(\"hostname\"); ?>";
?>
I'm guessing you can figure out what that's gonna do.
So yes, remote includes can be a major security problem.
