Posted by: paragon | February 27, 2009

URL file-access is disabled in the server configuration

I’ve recently upgraded Apache and PHP on my VPS, and one of the unpleasant surprises was that some scripts which tried including pages from remote sites (I know, not the most secure approach, but there were reasons for that) got broken.


Traditionally, all the websites Google finds suggest that you double-check that your php.ini config has the allow_url_fopen enabled:

allow_url_fopen = On

Well, in my case it was enabled, but scripts were still broken. The really weird thing was that the upgrade procedure didn’t include changing the php.ini in any way, so it was fully working before and I kind of expected it to continue working.


After some quick research, I’ve found out that PHP 5.1 introduced a new security option to accompany the allow_url_fope, and this was exactly the option which broke my scripts:

allow_url_include = On

PHP 5.1 , by default is allow_url_include = off ! – Turn this to On and Bingo!

There you have it, hope it helps you next time you come across this problem!


  1. this is easily circumvented

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: