You definitely want allow_url_includeset to Off, which mitigates many of the risks of allow_url_fopenas well.

你肯定想allow_url_include设置为关闭，这也减轻了许多风险allow_url_fopen。

But because not all versions of PHP have allow_url_include, best practice for many is to turn off fopen. Like with all features, the reality is that if you don't need it for your application, disable it. If you do need it, the curl module probably can do it better, and refactoring your application to use curl to disable allow_url_fopenmay deter the least determined cracker.

但是因为并非所有版本的 PHP 都有allow_url_include，所以许多人的最佳做法是关闭 fopen。与所有功能一样，现实情况是，如果您的应用程序不需要它，请禁用它。如果您确实需要它，curl 模块可能会做得更好，并且重构您的应用程序以使用 curl 来禁用它allow_url_fopen可能会阻止最不确定的破解者。

I think the answer comes down to how well you trust your developers to use the feature responsibly? Data from a external URL should be treated like any other untrusted input and as long as that is understood, what's the big deal?

我认为答案归结为您对开发人员负责任地使用该功能的信任程度？来自外部 URL 的数据应该像任何其他不受信任的输入一样对待，只要能理解，有什么大不了的？

The way I see it is that if you treat your developers like children and never let them handle sharp things, then you'll have developers who never learn the responsibility of writing secure code.

我的看法是，如果你像对待孩子一样对待你的开发人员，从不让他们处理尖锐的事情，那么你的开发人员将永远不会学会编写安全代码的责任。

Cross-site scripting attacks are a pain, so that's a vote against. And you should absolutely have "allow_url_include" set to off, or you'll be in for a world of hurt.

跨站点脚本攻击是一种痛苦，因此投反对票。并且您绝对应该将“ allow_url_include”设置为关闭，否则您将陷入痛苦的世界。

It depends on the type of development. If your prototyping then enabling 'allow_url_fopen' is fine however there isn't a significant speed difference between libcurl and file_get_contents and enabling it is only a matter of convenience.

这取决于开发类型。如果您的原型设计然后启用 'allow_url_fopen' 没问题，但是 libcurl 和 file_get_contents 之间没有显着的速度差异，启用它只是为了方便。

For production servers any call to libcurl should be flagged for a security audit. As should fopen and file_get_contents if 'allow_url_fopen' is enabled. Disabling 'allow_url_fopen' does not prevent exploits it only slightly limits the number of ways they can be done.

对于生产服务器，任何对 libcurl 的调用都应该被标记为安全审计。如果启用了 'allow_url_fopen'，那么 fopen 和 file_get_contents 也应该如此。禁用 'allow_url_fopen' 并不能阻止漏洞利用，它只是稍微限制了它们可以完成的方式的数量。

The big problem is that allow_url_fopen is not more secured, so if you want to save file from a url using curl, you must pass from fopen/file_get to save the file.

最大的问题是allow_url_fopen 不是更安全，所以如果你想使用 curl 从 url 保存文件，你必须从 fopen/file_get 传递来保存文件。

• CURL is only good to retrieve remote content from URL. (allow_url_fopen not necessary)
• CURL must be added with Fopen or File_get if you want to save remote file to your server. (allow_url_fopen obligatory with CURL)

• CURL 仅适用于从 URL 检索远程内容。 （不需要allow_url_fopen）
• 如果要将远程文件保存到服务器，则必须使用 Fopen 或 File_get 添加 CURL。 （allow_url_fopen 必须使用 CURL）

Php must find other ways to make it more secured.

Php 必须找到其他方法来使其更安全。