The purpose of CoffeeCup RSS News Flash is to add your own news to your website or news from Yahoo!, CNN, and CNET using Flash. So the question is: How exactly are we supposed to retrieve news from external sources?
A few answers naturally present themselves:
- We could allow the users to manually retrieve the data, though that would be a bit to ask and pretty inefficient.
- We could require our users to have some sort of third-party software or PHP module, though that would exclude a significant portion of our user-base.
- We could allow the users to utilize a base PHP function to retrieve the remote data. This would be desirable, as it would be available cross-platform to anyone who has PHP installed.
Naturally, we chose the latter. It is available in all supported PHP distributions and is enabled by default.
But what does this choice mean for you? Does it mean that your website will suddenly be vulnerable to attacks if you use our software?
Well, no. I think what you will find is that using our software doesn't inherently open you up to any security risks. In fact, the advice that you will find on the PHP Security Consortiums website regarding the allow_url_fopen configuration is advice geared toward server administrators rather than website developers. The idea is that if you are going to be allowing other developers to use your server, you should not keep allow_url_fopen enabled, as some programmers may use it in careless ways.
So, like everything else in life, I think this is really more of a decision of weighing your options rather than a decision of right or wrong. While it is true that disabling allow_url_fopen will prevent careless programmers from exposing your to security risks, it will also prevent you from retrieving external data without some sort of third-party product. I think the best solution for you, as a Website developer, would be to enable allow_url_fopen and just not be careless. If you are going to be retrieving data from external sources, make sure they are trusted sources. Obviously, Yahoo!, CNN, and CNET are safe sources. It is very unlikely that one of these sources is going to try to exploit your system.
If you want to be extra safe, you can actually disable allow_url_fopen by default and just enable it for your CoffeeCUp RSS News Flash script. Some options for adding this sort of functionality can be found here: http://us.php.net/manual/en/configuration.changes.php .
I think the bottom line is that our program has no inherent security flaws. Rather, it allows a careless person to open your Website up to certain security risks. This presupposes that a careless person is running your website, which I'm sure isn't the case. I'm sure that with some mild vigilance, you will be able to take full advantage of our program and maintain a safe and secure site.
Rate This Article
You must be signed in to rate articles.
