I'm trying to figure out how (if possible) to do this:
I want to have a server/space/cloud-storage without apache storing a php file, then, another server actually running and parsing that file.
This is because I know Dropbox (Copy, Google Deive, etc) does store any type of file but cannot run php files due to security and due to the lack of Apache.
I therefore thought it may be possible to have a server requesting the Dropbox php file, parse it and return the HTML result.
I thought of this solution and I tried making an include from an external source:
include_once("https://dropbox.com/whatever/file.php");
But is not feasible... Any solution?
Use the API of Dropbox instead of the webview. Then store the value in a variable or temp file and output the result of eval($codeFromDropbox); and delete it if you don't need it anymore.
Dropbox provides you a PHP class (also see the reference) to archive this or you can simply use the global HTTP API Docs to write this small script on your own.
Once you did the authorization as described in the API docs you can simply download any file you have the permissions for.
You can actually include remote files but it is disabled by default:
http://php.net/manual/en/filesystem.configuration.php#ini.allow-url-fopen
ini_set('allow_url_fopen', true);
This is OFF (false) by default because it is a VERY HIGH security risk.
It's also a high security risk using eval(). The whole idea is risky.
Why don't you store and the files on the PHP server you want to execute?
Update:
The ini configuration is allow_url_include, not allow_url_fopen, but you should lookup both.
Related
I'm not sure it is possible or not, but i try
include "http://www.abc.cm.my/function.php" inside my php file and it not work.
my ideal is
i have a standard function file at my own website and all my clients web will include my standard function directly from my own website, then i no need to duplicate the function file to all my clients website, the trouble i facing now is, i need to change/update the function file at each/all of my clients website, it not hard but just many work to do.
hope you guys understand my situation and my English.
PHP allows for this under certain conditions:
... URLs can be used with the include, include_once, require and
require_once statements (since PHP 5.2.0, allow_url_include must be
enabled for these) ...
Doc
Sure, you can use the URL include wrappers option in PHP on website1. You'll need to make sure that the remote server (website2) is serving the raw PHP--so that when you open it in a browser at http://website1/script.php you see the plain PHP source code.
However this is generally a bad idea, since you normally only want the PHP to be visible server-side (normally you don't want to show your raw code to the world). You could use network mappings / mounts to map the remote filesystem to a local drive, or it would be a bit better if website2 were only a LAN only visible to website1.
I have a bunch of arrays in a php file that I'd like to access across domains (same server).
If I simply try to include the file, I get " URL file-access is disabled in the server configuration". Now, I have read that I can change the php.ini file on my server to allow file access, but I'm also assuming this is a security hole.
Is there any other way to achieve what I'm trying to accomplish? I don't want to have to constantly update/upload this php file to every new site I create, having 1 universal file is much easier.
Edit for more info: I'm using WebhostManager, and I see an option to allow url fopen, which is set to yes, but there is no option for file access.
Thanks!
I've not used it yet so can't give an example but
I'm going to need to do the same soon.
Try researching "symbolic links".
That is if your using UNIX.
If IIS you can use "virtual directories"
Essentially both methods are creating faux folders that seem as if they are in your directory structure to a web user.
So I'm a bit confused about what crafty users can and can't see on a site.
If I have a file with a bunch of php script, the user cant see it just by clicking "view source." But is there a way they can "download" the entire page including the php?
If permission settings should pages be set to, if there is php script that must execute on load but that I dont want anyone to see?
Thanks
2 steps.
Step 1: So long as your PHP is being processed properly this is nothing to worry about...do that.
Step 2: As an insurance measure move the majority of your PHP code outside of the Web server directory and then just include it from the PHP files that are in the directory. PHP will include on the file system and therefore have access to the files, but the Web server will not. On the off chance that the Web server gets messed up and serves your raw PHP code (happened to Facebook at one point), the user won't see anything but a reference to a file they can't access.
PHP files are processed by the server before being sent to your web browser. That is, the actual PHP code, comments, etc. cannot be seen by the client. For someone to access your php files, they have to hack into your server through FTP or SSH or something similar, and you have bigger problems than just your PHP.
It depends entirely on your web server and its configuration. It's the web server's job to take a url and decide whether to run a script or send back a file. Commonly, the suffix of a filename, file's directory, or the file's permission attributes in the filesystem are used to make this decision.
PHP is a server side scripting language that is executed on server. There is no way it can be accessed client side.
If PHP is enabled, and if the programs are well tagged, none of the PHP code will go past your web server. To make things further secure, disable directory browsing, and put an empty index.php or index.html in all the folders.
Ensure that you adhere to secure coding practices too. There are quite a number of articles in the web. Here is one http://www.ibm.com/developerworks/opensource/library/os-php-secure-apps/index.html
Okay, so the PHP script exists on serverA. ServerA has php safe-mode ON and WebDAV OFF. I can't change either of these factors. I want a script on serverA to get the user's login/password for another server, which we shall call serverB. ServerB has WebDAV ON.
The ultimate goal is that the user will go to the script on ServerA, put in their credentials for ServerB, and then the script will create an iCal file and place it on ServerB, allowing the user to then subscribe to the iCal file using Outlook/GoogleCalendar, etc (which requires the file to be on a WebDAV server).
So, I tried
fopen(servername/filename, r)
and was able to read files on the remote server. But when I tried
fopen(servername/filename, w)
I get an error that the HTTP wrapper doesn't support writing, only reading.
Long story short, is there a way to connect to this server and authenticate, write a file, then close the connection WITHOUT using any of the already-existing WebDAV libraries for PHP and without getting hit with a safe-mode permissions error?
Thanks!
The problem is that the the HTTP protocol wrapper for PHP doesn't do PUT.
You should attempt to write your own, with either fsockopen, or preferably something like curl.
http://ca3.php.net/manual/en/wrappers.http.php
This has nothing to do with safe mode.
The issue here is that Safe-mode is designed to restrict you so you can not execute things outside your "safe" zone.
What you could try (if you can) is to modify the safe_mode_exec_dir in php.ini, then you can start external programs that could do the writing of the file for you (if they reside in this safe-mode directory
About authenticating, I'm not sure, perhaps someone can answer that in more detail.
Is there really a way to do this ? Retrieving raw .php file from the server (other than getting into server's FTP account) ? Is this the reason why there are tools/script to encrypt php source code ?
If it's true, then how to protect against it ? (without using php source code encryption)
edit: the server mentioned has php running, eg. apache-php-mysql, your standard hosting server configuration.
If you are talking about someone else's server, then the short answer is no. If third parties could read your PHP source code, that would be quite a security hole, since PHP files tend to contain database passwords, hash keys, proprietary algorithms and other goodies that you don't want falling in the wrong hands.
If you are talking about your own server (ie. that you yourself have access to), then there are simple scripts that you can put on the server, that allow you to specify a path to any file on the server and have it returned as plaintext.
However, you NEVER EVER want to place such a script on a production server, for the reasons mentioned above.
Generally speaking, you can't access remote source code. The PHP module would have to be disabled for this to occur.
But as a thought experiment, how might this happen?
Leaving aside wholesale exploits which get access to the entire filesystem, imagine if there were a security hole in an application which allowed you to insert an line into an .htaccess file. Given that an .htaccess writable by the httpd process is useful for apps like Wordpress, it's not too outlandish a possibility.
If you added this:
php_value engine off
The source files now become downloadable!
It is possible if the server is not well configured that PHP files are not handles as such.
Some examples:
Some servers are configured to show the highlighted source code of a PHP file when requested as .phps instead.
Some developers use .inc for files that are intended to be included using include or require. If the server is not configured to handle these as PHP as well, they will be delivered as plain text when they are requested directly.
But the developer can also be the source of vulnerability. For example when he uses a script for downloading files from the server and this script accepts nearly every input without validation.
If the file is served from a web server that has php interpretation enabled (via HTTP) then it will be processed. The only way you'd receive the code unprocessed is if PHP was disabled somehow.
I have encountered a mis-configured web server in the past that had one virtual host properly setup to server PHP files via the PHP interpreter. There was a second virtual host pointing at the same directory, but didn't have php enabled. This meant things like the 'config.php' for several apps where visible as plain text. As everyone knows a typical config.php has database auth credentials and other things that shouldn't be known.
So, it is very important to understand your web server setup, and make sure you aren't doing something silly.