I have a PHP script that accepts a file URL by GET and opens it with fopen.
Is this solution safe enough or is it a security breach?
$filename = $_GET['file'];
if( substr( $filename, 0, 7 ) !== 'http://' )
$filename = 'http://'.$filename;
fopen( $filename, 'r' );
// etc...
This way you can't force a local path to the script to read from it.