“allow_url_fopen” allows a programmer to open/include a remote file using a url rather than a local file path: it is also highly insecure, easy to exploit, and for the purposes of security has been disabled on all of our shared servers and cannot be enabled for any reason. You can still use this function in the form of the cURL library which should be installed and functioning on all of our shared servers. You can find more information about cURL and its usage here: http://www.php.net/manual/en/ref.curl.php

Many programmers include files by pointing to a remote url, even if the file is on the local system. For example:

With allow_url_fopen set to Off, this method will no longer work. Instead, the file must be included with the local path by doing either one the following three methods:

1. Using relative path, such as ../includes/example_include.php
2. Using absolute path, such as /home/username/public_html/includes/exampe_include.php
3. Using PHP environment variable $_SERVER[‘DOCUMENT_ROOT’], which returns the absolute path to the web root directory.
For example:

Passing Variables to an include file:

It is worth mentioning that the alternative solutions presented here will result in a difference in the way the include() function is handled. The alternative solutions all return the PHP code from the included page; however, the now-unavailable remote URL method returns the result from the included page. One result of this behavior is that you cannot pass a querystring using the alternative solutions. You define the variables locally before performing the include.

For example:

must be changed to:

$var = “example”;

For maximum flexibility when using multiple includes, it’s easier to create a variable:

$doc_root = $_SERVER[‘DOCUMENT_ROOT’];

Note: The technique works in the same way, regardless of whether you are using include() or require().


For those who need this function, you can either use cURL as above, one of the below workarounds, look for a more secure program/application that suits your needs, or you will need to consider upgrading to a dedicated server account where you have complete control of the webserver: we cannot risk the security of every user on the server to enable this highly insecure function. This is one of the disadvantages to a virtual hosting platform where you are freed up from having to perform regular maintenance and administration, but you have to accept certain limitations in order to guarantee security – you will find that every other web-hosting company who offers VPS/Shared hosting solutions also disable allow_url_fopen.