Javascript – Wrapper is disabled in the server configuration by allow_url_include=0


I am trying to retrieve page contents with an AJAX call. I have a series of links within a page wrapper. When I click on a link, it loads a JavaScript function that retrieves page contents from a php script. In this case I am developing on my localhost, but in production the script will be within the same root folder and domain as the file that does the AJAX call. I am using the response as the content for a div. The content isn't purely PHP, and by that I mean while it is generated by php it has HTML elements like divs and spans. It's basically the stuff that is going between the opening and closing body tags. Because of this, I'm not sure I can just use json_encode.

Instead of the content loading in the div, I get the following error:

Warning: require_once() [function.require-once]: http:// wrapper is
disabled in the server configuration by allow_url_include=0

After reading up on allow_url_include it seems that this is usually disabled by default. I'm assuming that this feature allows for some serious site attacks. Is that the case. If so, how can I retrieve the content from another file?

I tried using the JQuery load function:


but with the exact same results.

This is driving me nuts! TIA.

EDIT: I think I may have found the problem; the php file that the AJAX is retrieving content from is using require_once. The file that it is requiring is on the same server within the same root folder, but it was one directory up. HOWEVER, that creates a new problem: I'm getting the content, but not fully. For example, in the file I have this:

Title:  <?php echo $details['title']; ?>

I am only getting the first letter, and this holds true for other php content that I echo.

Best Solution

allow_url_include only affects include() and require(), you can still use the PEAR HTTP_Request2 module or the curl functions to fetch webpages.

Using include() for remote webpages is considered to be a "bad practice", and may pose a security risk. For example, if you use include($var); and some attacker manages to replace $var with http://hacksite.tld he/she can "inject" code ...