libxml_disable_entity_loader

(PHP 5 >= 5.2.11)

libxml_disable_entity_loaderDisable the ability to load external entities

Description

bool libxml_disable_entity_loader ([ bool $disable = true ] )

Disable/enable the ability to load external entities.

Parameters

disable

Disable (TRUE) or enable (FALSE) libxml extensions (such as DOM, XMLWriter and XMLReader) to load external entities.

Return Values

Returns the previous value.

See Also

Коментарии

Автор:
Using this function you can prevent a vulnerable to Local and Remote File Inclusion attacks.

You'll see it in an example where I load and validate the following string:

<!DOCTYPE scan [<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">]>
<scan>&test;</scan>

One way to prevent that the file in given back is to set this value to 0.
Please take a closer look at the release of symfony 2.0.11
2012-02-29 20:23:52
http://php5.kiev.ua/manual/ru/function.libxml-disable-entity-loader.html
Be mindful that this also disables url loading in simplexml_load_file() and likely other libxml based functions that deal with URLs
2014-01-27 18:36:51
http://php5.kiev.ua/manual/ru/function.libxml-disable-entity-loader.html
This also seems to have an impact on <xsl:import /> statements if this is applied when loading XSLT for the XSLTProcessor class.
2014-03-25 12:23:12
http://php5.kiev.ua/manual/ru/function.libxml-disable-entity-loader.html
If is called 
libxml_disable_entity_loader(true);

, it causes that new SoapClient(.) fails with

SOAP-ERROR: Parsing WSDL: Couldn't load from 'D:\path/dm_operations.wsdl' : failed to load external entity "D:\path/dm_operations.wsdl

because this wsdl imports a xsd as an another external file.
Tested on php 7.1.12, win x64.
2018-01-04 11:48:12
http://php5.kiev.ua/manual/ru/function.libxml-disable-entity-loader.html
In PHP 8.0 and later, PHP uses libxml versions from 2.9.0, libxml_disable_entity_loader is deprecated.
so it is now safe to remove all `libxml_disable_entity_loader` calls on php8

if you want Backwards Compatibility

use this snippet

if (\PHP_VERSION_ID < 80000) {
    libxml_disable_entity_loader(true);
}
2021-01-07 12:27:21
http://php5.kiev.ua/manual/ru/function.libxml-disable-entity-loader.html
There is an extra \ should be deleted before PHP_VERSION_ID in the code which suconghou posted 2 years ago.

if (PHP_VERSION_ID < 80000) {
    libxml_disable_entity_loader(true);
}
2023-04-27 05:46:59
http://php5.kiev.ua/manual/ru/function.libxml-disable-entity-loader.html

    Поддержать сайт на родительском проекте КГБ