i need to call one variable (keyword) from remote php file (config.php) --> server2
and to include in php function which is in another web server
i know by default php doesnt allow inclusion
is there any way around for me to get the variable without setting allow_url_include on
this is the function.php on server 1
<?php
include('config.php');
if ($_GET){
$req_url = $_SERVER['QUERY_STRING'];
$page = substr($req_url, strrpos($req_url, '=')+1);
$number = (int)$page;
$xurl=('https://example.com/?q=' . $keyword .'');
}
echo xurl;
?>
and here's the config.php on server 2
<?php
$base="http://example2.com";
$baseurl="http://example2.com/get.php?";
$basejson="http://example.com/function.php";
$keyword = "mountain";
?>
No, you cannot do that. It would be an extreme security gap.
If you have access to the remote webserver you may do an scp via exec and copy the file to your local server on each request. Or define a caching time and do it once every hour or whatever.
Related
i have a connection file
file name inc.server.php
<?php
function db_name() { return 'dbname'; }
function db_user() { return 'username'; }
function db_pass() { return 'pw'; }
$koneknodatabase = mysqli_connect('localhost:2020',db_user(),db_pass(),db_name());
function close_Con() {
mysqli_close(mysqli_connect('localhost:2020',db_user(),db_pass(),db_name()));
}
?>
this file save in the my server with IP : 10.2.60.2
but when i require that file from my local pc
with
require('http://10.2.60.2/inc.server.php');
global $koneknodatabase;
$select = mysqli_query($koneknodatabase,"select from data");
$data = mysqli_fetch_array($select);
iam run that script on my localhost
but the result is
Warning: mysqli_query() expects parameter 1 to be mysqli, null given in
i have change allow_url_include to ON from php.ini
please help
You can't access the source code of a PHP script of a remote host like that, otherwise everyone would open the config.php file from every webpage they know (and they know the file exists) and get any login data they want.
When you open the URL http://10.2.60.2/inc.server.php in your browser you see the content someone outside of the host "10.2.60.2" will see. It will be most likely an empty page since your inc.server.php file doesn't generate any output (and shouldn't). So your other PHP host will include just an empty file from his point of view, which means there aren't any functions like db_name() defined or any variables like $koneknodatabase.
There are different ways on how separated hosts can communicate to each other, but thats a different topic and might result in different questions. Luckily there are millions of informations out there about how two hosts can communicate with each other.
I have a PHP script which is typically run as part of a bigger web application.
The script essentially makes some changes to a database and reports back to the web user on the status/outcome.
I have an opening section in my PHP:
require $_SERVER['DOCUMENT_ROOT'].'/security.php';
// Only level <=1 users should be able to access this page:
if ( $_SESSION['MySecurityLevel'] > 1 ) {
echo '<script type="text/javascript" language="JavaScript">window.location = \'/index.php\'</script>';
exit();
}
So, basically, if the authenticated web user's security level is not higher than 1, then they are just redirected to the web app's index.
The script works fine like this via web browsers.
Now to my issue...
I want to also cron-job this script - but I don't know how to bypass the security check if ran from the CLI.
If I simply run it from the CLI/cron with 'php -f /path/to/report.php' and enclose the security check in a "if ( php_sapi_name() != 'cli' )", it spews out errors due to multiple uses of $_SERVER[] vars used in the script (there may be other complications but this was the first error encountered).
If I run it using CURL, then the php_sapi_name() check won't work as it's just being served by Apache.
Please can anyone offer some assistance?
Thank you! :)
If you invoke the script through the CLI some of the $_SERVER variables will be defined however their values may not be what you expect: for instance $_SERVER['DOCUMENT_ROOT'] will be empty so your require will look for a file called 'security.php' in the filesystem root. Other arrays such as $_SESSION will not be populated as the CLI does not have a comparable concept.
You could get around these issues by manually defining the variables (see "Set $_SERVER variable when calling PHP from command line?" however a cleaner approach would be to extract the code that makes the database changes to a separate file which is independent from any specific and that does not depend on any SAPI-specific variables being defined.
For instance your PHP script (let's call it index.php) could be modified like this:
require $_SERVER['DOCUMENT_ROOT'].'/security.php';
require $_SERVER['DOCUMENT_ROOT'].'/db_changes.php';';
// Only level <=1 users should be able to access this page:
if ( $_SESSION['MySecurityLevel'] > 1 ) {
echo '<script type="text/javascript" language="JavaScript">window.location = \'/index.php\'</script>';
exit();
} else {
do_db_changes();
}
Then in the SAPI-agnostic db_changes.php you would have:
<?
function do_db_changes() {
// Do the DB changes here...
}
?>
And finally you would have a file, outside the web root, which you can invoke from cron (say cron.php):
<?
require("/absolute/path/to/db_changes.php");
do_db_changes();
?>
Like this you can continue using index.php for the web application and invoke cron.php from cron to achieve your desired results.
I am trying to keep my PHP code on one server, while calling the functions from a separate server.
Server 1
<?php
echo 'Server 1';
function testingStuff(){
echo 'Testing Stuff';
}
function testingStuff2(){
return "Testing Stuff 2";
}
?>
Server 2
<?php
include 'fullURLtoServer1.php';
testingStuff();
echo testingStuff2();
?>
I know the include statement is working, as "Server 1" is being properly echoed to the screen, but neither of the function calls displays anything. Am I missing something? Why do neither function calls work?
EDIT 1
The ideal situation would be having a single .php file on Server 1 that contains multiple functions, which I can call as often as I'd like.
When you "include" a remote file, you are included the output of that file.
For server 2, the file you are trying to include just says:
Server 1
If you want to execute remote functions, you can make a different file for each function, and execute the function when the file is called. That way, you can "include" the remote file and show the output. You can replace the "different file for each function" for a single file with a parameter.
Keep in mind, trough, that any user/server/bot can call those functions by simply loading the file from the webserver.
I'm trying to include a remote file from one of LAN pcs using include, allow_url_fopen = On and allow_url_include = On.
One local PC (let's say pc2), I have remote.php, which contains:
<?php
echo $var_on_pc1; // this doesn't output
$remote_var = 'Var on pc2';
function square($num){
return $num * $num;
}
?>
In my PC (let's say pc1), I have test.php, which consists of this:
<?php
$var_on_pc1 = 'Var on pc1';
include "http://pc2/path/to/remote.php";
echo $remote_var; // this doesn't output
echo square(4); // this got error
?>
When I run the script test.php, i got the error:
"Fatal error: Call to undefined function: square() in
path/to/test.php on line 7.
What happened? I thought I could call the included functions and variables and vice versa?
If I cannot implement this, what is the best way?
I have no security concern because I use this locally for temporary development.
Type http://pc2/path/to/remote.php into your browser and see what you get. PHP gets exactly the same.
If the PHP file is being processed by the web server at pc2, you likely get zilch in that file, because the code as been processed. You'd need to configure the other server to not process the PHP file and serve its raw source code instead.
This is not a good idea overall.
I've downloaded such script:
$QUERY_STRING="login";
if (file_exists("passwd.dat") && $QUERY_STRING != ""):
require ("passwd.dat");
if (!isset($alogin) || md5($pass) != $Password[$alogin] || !isset($Password[$alogin])):
$logined = 0;
//$error = "Неверный логин или пароль!<br>";
setcookie("alogin","",0);
setcookie("pass","",0);
else:
$logined = 1;
setcookie("alogin",$alogin,time()+60*60*24*30*12);
setcookie("pass",$pass,time()+60*60*24*30*12);
endif;
endif;
?>
and it works just fine on remote server, but doesn't work on local one. As I figured out, on remote machine $_POST/$_COOKIE arrays are "unpacked" to just variables, e.g. if $_POST['abc'] is defined you can access it via $abc. What mechanism is it? Just don't know where to look...
This setting is called register_globals and you should never, ever use it. You should instead modify the script so that it accesses $_POST['abc'] directly, which is the correct way.
If the script is long and/or complicated, then simply accept the fact that it is crap and find a better one.
This is called register_globals and it is depecrated as of PHP 5.3.0.