Using remote files

As long as allow_url_fopenis enabled inphp.ini, you can use HTTP and FTP URLs with most of the functionsthat take a filename as a parameter. In addition, URLs can beused with the include,include_once, require andrequire_once statements (since PHP 5.2.0,allow_url_includemust be enabled for these).See Supported Protocols and Wrappers for more information about the protocolssupported by PHP.

For example, you can use this to open a file on a remote web server,parse the output for the data you want, and then use that data in adatabase query, or simply to output it in a style matching the restof your website.

Example #1 Getting the title of a remote page

fopen ("""r");
if (!
$file) {
"<p>Unable to open remote file.\n";
while (!
feof ($file)) {
$line fgets ($file1024);
/* This only works if the title and its tags are on one line */
if (preg_match ("@\<title\>(.*)\</title\>@i"$line$out)) {
$title $out[1];

You can also write to files on an FTP server (provided that youhave connected as a user with the correct access rights). Youcan only create new files using this method; if you try to overwritea file that already exists, the fopen() call willfail.

To connect as a user other than 'anonymous', you need to specifythe username (and possibly password) within the URL, such as''.(You can use the same sort of syntax to access files viaHTTP when they require Basic authentication.)

Example #2 Storing data on a remote server

fopen ("""w");
if (!
$file) {
"<p>Unable to open remote file for writing.\n";
/* Write the data here. */
fwrite ($file$_SERVER['HTTP_USER_AGENT'] . "\n");
fclose ($file);


You might get the idea from the example above that you can usethis technique to write to a remote log file. Unfortunatelythat would not work because the fopen() call willfail if the remote file already exists. To do distributed logginglike that, you should take a look at syslog().

add a note add a note

User Contributed Notes 3 notes

slva dot web dot sit at gmail dot com
3 years ago
If  allow_url_fopen is disabled in php.ini you can use CURL function for check file exist:


curl_setopt($ch, CURLOPT_NOBODY, true);
$retcode =curl_getinfo($ch, CURLINFO_HTTP_CODE);
// $retcode >=400 -> not found, $retcode=200, found.
kalidass dot jst at gmail dot com
1 year ago
public function get_url($request_url) {

    curl_setopt($curl_handle, CURLOPT_URL, $request_url);
    curl_setopt($curl_handle, CURLOPT_CONNECTTIMEOUT, 0);
    curl_setopt($curl_handle, CURLOPT_TIMEOUT, 0);
    curl_setopt($curl_handle, CURLOPT_SSL_VERIFYPEER, FALSE); 
    curl_setopt($curl_handle, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
    curl_setopt($curl_handle, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($curl_handle, CURLOPT_RETURNTRANSFER, TRUE);

heck at fas dot harvard dot edu
12 years ago
The previous post is part right, part wrong. It's part right because it's true that the php script will run on the remote server, if it's capable of interpreting php scripts. You can see this by creating this script on a remote machine:
echo system("hostname");
Then include that in a php file on your local machine. When you view it in a browser, you'll see the hostname of the remote machine.

However, that does not mean there are no security worries here. Just try replacing the previous script with this one:
echo "<?php system(\"hostname\"); ?>";
I'm guessing you can figure out what that's gonna do.

So yes, remote includes can be a major security problem.