I want to ask something regarding allow_url_include - ...
If a server have got allow_url_include enabled in the PHP configuration ... Can the server owner easily create a PHP script and do something like:
include("http://example.com/configuration.php");
echo $mysql['username'];
So he can get the value of the MySQL username?
If that was possible, can I disallow that on my script to prevent hackers?
Thank you!
No, he will get the same thing as you have in your web browser. That would be a huge security issue.
Note that if your webserver is misconfigured, it can happen.
He can't get the value of the MySQL username.
He can only get the source code and the results of the page :
http://example.com/configuration.php