Why Is allow_url_fopen Considered Dangerous?

When it comes to dangerous PHP functions, allow_url_fopen is one that can be incredibly dangerous, but it is also something that is very useful and in most cases will need to remain enabled if you have written some advanced scripts. A common use for this setting would be with a REST-based API. For example, if you want to get item information from a REST URL, you could use something like the following.

file_get_contents("https://somesite.com/products/123");

Normally the file_get_contents function is used to get files from the local file system. When allow_url_fopen is enabled, you can use a URL with this function in order to get a remote file as if it were stored on the local webserver.

Why Is it Dangerous?

The general answer is, it isn't all that dangerous. Like any function, it can be dangerous if the code is written carelessly, but in general, it shouldn't be a problem. The following example will show how this could become dangerous if used carelessly. Lets say you have a form field that accepts a file path. You then read the contents of this file when the form is submitted. What happens if a URL is entered instead of a file path. This will mean that the URL will be queried and this could open some dangerous doors.

file_get_contents($_POST['filepath']);

If you do not need this function then I would suggest you disable it immediately. Otherwise, it isn't too much of a risk to keep it open, just be very very careful how and where it is used. Always validate data when passing the values to powerful functions.