Why This Error Occurs

If you’re seeing this error, we are willing to bet that you are using the include statement as seen below:

Common Include File Usage

<?php

include ("http://www.YourDomain.com/includes/header.php");

?> 

And you are more than likely getting an error similar to the following:

Include File Error Message

<?php

/*Warning: include() [function.include]: URL file-access is disabled in the server configuration in /home/YourUsername/public_html/index.php on line xx */

/*Warning: include(http://www.YourDomain.com/index.php) [function.include]: failed to open stream: no suitable wrapper could be found in /home/YourUsername/public_html/index.php on line xx*/

/*Warning: include() [function.include]: Failed opening 'http://www.YourDomain.com/index.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/YourUsername/public_html/index.php on line xx*/
?> 

What specifically causes this error is the fact that the server has upgraded from PHP 4 to a newer version. In the upgrade, the allow_url_fopen is set to OFF, which is responsible for disallowing include files to use absolute file paths.

Don’t be in a rush to turn this off in your system configuration just yet! Any upgrades past PHP 4 will turn allow_url_fopen to OFF as default due to security concerns. This is most prevalent in cross-site scripting attacks, or XSS attacks. In some cases, malicious users have even enslaved a server to become a spam-email-sending nightmare: all without the administrator noticing!

If there is any part of a website that allows a user to upload data of some sort, there are vulnerabilities that are present with poor coding that may allow malicious users to inject an include statement. By allowing allow_url_fopen to be set to ON, it allows them to include any file they wish from any website on the Internet. With it set to OFF, only documents on the server may be included. This is much safer considering you probably don’t have malicious code stored on the server. (And theoretically, if you did, hackers probably wouldn’t be able to find it)

The First Solution: Use Relative File Paths

A web server will automatically assume that the code below belongs on the server, and thus, is not a remote file:

PHP Include File With Relative Paths

<?php

include (header.php); //This file is in the same directory as the PHP file

include (includes/header.php); //This file is in a directory under the PHP file

include (../header.php); //This file is in the directory above the current PHP file

?>

Relative file paths can be used in every legitimate situation an absolute path would be used, although it may take a little more work. As in the example above, you may have to work at determining where the file you wish to include exists in relation to the PHP file being run.

Not your idea of fun? We aren’t fond of it either, so on to the next solution!

The Second Solution: Use Another PHP Function

We may substitute the include statement with file_get_contents, which reads an entire file into a string.

PHP Include With File_Get_Contents

<?php

$includeFile = file_get_contents("http://www.YourDomain.com/includes/header.php");

echo $includeFile;
?>

This is a good alternative to keep the absolute path an option in including a certain file. There are some instances where the above code wouldn’t come out as planned, depending on the situation. In addition, it adds another line of code that we can relinquish with the best solution: using a server variable.

The Best Solution: Using Server Variables

If you don’t want to spend hours rearranging code, you can do it the easy way with $_SERVER['DOCUMENT_ROOT'].

PHP Include Server Variables

<?php 

include $_SERVER['DOCUMENT_ROOT'] . '/includes/header.php'; 

?>

This allows you to keep the absolute path that you’ve come to be familiar with in using the include statement. Technically, the $_SERVER['DOCUMENT_ROOT'] command gives your path to the public_html directory, as seen below:

Essentially this is the root of your website, www.YourDomain.com, and therefore, you can use it just as you would with any other include statement. Just replace www.YourDomain.com with the server variable and you’re set!

Should I Turn On allow_url_fopen?

The short answer: no; allow_url_fopen was turned off for a reason. If you don’t own your own server, odds are your host won’t even allow the change in the first place. If you do own your own server, realize that the third solution presented in this tech tip takes almost no time to implement, and only requires that the base URL be replaced with a server variable.

Closing Comments

The bad news is that you’ll probably have to switch many pages in your website to conform to the new standard. The good news is that once that’s done you’ll have a more secure server, and by following the new syntax, you’ll never have to change the code again.