Any suggestions....

I wanted to add a news section to my site. I located, what seems great, a free rss feed. The following code was provided:

PHP Code:

<?php
$olderror_reporting =error_reporting(0);
include ("http://rssfeedreader.com/rss3/rss.php?url=http%3A%2F%2Frss.cnn.com%2Frss%2Fcnn_topstories.rss&newpage=1&chead=&atl=&desc=1&owncss=&eleminate=&auth=&dts=&width=300&max=5&tlen=0&rnd=1&bt=3&bs=Double&nmb=&ntb=&naf=&nst=&nwd=0&nht=0&dlen=0&lstyle=-1&lc=Blue&bg=White&bc=Gray&spc=&ims=&tc=&ts=9&tfont=Verdana,+Arial,+Sans-serif&rf=".$HTTP_SERVER_VARS['SERVER_NAME'].$HTTP_SERVER_VARS['PHP_SELF']."&phpout=1");
error_reporting($olderror_reporting);
?>

Which did not function for me initially. The customer service was extremely prompt & helpful and suggested the following:

"Please create a php.ini or .htaccess file and set allow_url_fopen and register_globals ON currently they are OFF in php configuration.
You can contact your host support for creating php.ini or .htacess file "

I edited the php.ini file and turned these items on. Everything worked great. However, in reading about these commands, both create risks in security and I have since returned them to OFF until I may locate a "better" solution - or I will cancel the idea altogether. Actually, the coding will work with ONLY allow_url_fopen ON and globals OFF. So the question really is only about the "allow_url_fopen."

Is there a way to simply allow fopen for this piece of code only? Is it truly a security risk? I am not that well versed in this area and my php coding knowledge is limited. I did some research online and read some blogs about "curl" and my brain hurt.

Ideas?

Thanks.

This is just my opinion, but I almost always NEED allow_url_fopen on, however, I NEVER need, desire, or want register globals on. If I were you, I'd be more concerned about that requirement. Basically, it appears that what they're having you do is exactly why those commands have warnings: remote code can be executed on your server... code that they feed you. Now, I don't know anything about that company, but I sure in the world would never want to allow someone to be able to execute code on my server. URL Fopen is great for being able to pull non-executed files from remote servers for parsing, but becomes very dangerous when you allow the executing of that code (e.g. using include for the remote file instead of something like file_get_contents [to read the whole file into a variable]).

Now, this company (however great they may be) is not only executing code on your system, but has the security design flaw of requiring register globals ON. This means that all post, get, session, etc. variables are treated as the same. Have a session variable like $allow_root_access? Well, using http://yoururl.com/?allow_root_access=1 will overwrite that value (without some protective measures added)!!

My first take, and, again, I don't know this company, would be to go with someone with better security protocols in mind as there are plenty of ways to transmit RSS feeds around the net.

So to clarify, it sounds like having the fopen is NOT a huge issue unless it involves an "include," which this coding does.
I will search further for a company which offers a better solution which takes into account security concerns.
I appreciate the prompt feedback and advice.

Thanks!