Section
3.4.3
Top Level
Sub Level
General
The system should not allow users to specify direct references to system resources, such as filenames, database object id's, account numbers, etc. Rather, the system should use an object and function referencing scheme that is limited to the exact list of resources that the user is allowed to access.
PHP
Disable allow_url_fopen
when possible. Allowing references of remote files as local resources may pose a security risk.