I provide a shared hosting environment and have had a client write an insecure script using the "include" statement. The server got hacked (more details below) and I eventually changed the "allow_url_fopen" php.ini setting to "Off" to disable the source of the attacks.
My question is: Does anyone know how I can allow_url_fopen to be "On" and still protect against poor programming?
More specifics on hack...
The user was including local files in his url (had to use hddp to post this)
hddp://domain.com/index.php?inc=some_file.php and the vandal simply typed in
Without filtering the incoming variable $inc, the vandal successfully installed a root kit and ... well you know the rest.
I dont think there is a way to prevent that exploit, but its really easy to prevent with the preg_match function. Just have it parse the incoming GET variable to see if it has http:// in it. Tell all your customers to do somthing like this or their account will be suspended.