I'm not sure it is possible or not, but i try
include "http://www.abc.cm.my/function.php" inside my php file and it not work.
my ideal is
i have a standard function file at my own website and all my clients web will include my standard function directly from my own website, then i no need to duplicate the function file to all my clients website, the trouble i facing now is, i need to change/update the function file at each/all of my clients website, it not hard but just many work to do.
hope you guys understand my situation and my English.
PHP allows for this under certain conditions:
... URLs can be used with the include, include_once, require and
require_once statements (since PHP 5.2.0, allow_url_include must be
enabled for these) ...
Doc
Sure, you can use the URL include wrappers option in PHP on website1. You'll need to make sure that the remote server (website2) is serving the raw PHP--so that when you open it in a browser at http://website1/script.php you see the plain PHP source code.
However this is generally a bad idea, since you normally only want the PHP to be visible server-side (normally you don't want to show your raw code to the world). You could use network mappings / mounts to map the remote filesystem to a local drive, or it would be a bit better if website2 were only a LAN only visible to website1.
Related
I'm trying to figure out how (if possible) to do this:
I want to have a server/space/cloud-storage without apache storing a php file, then, another server actually running and parsing that file.
This is because I know Dropbox (Copy, Google Deive, etc) does store any type of file but cannot run php files due to security and due to the lack of Apache.
I therefore thought it may be possible to have a server requesting the Dropbox php file, parse it and return the HTML result.
I thought of this solution and I tried making an include from an external source:
include_once("https://dropbox.com/whatever/file.php");
But is not feasible... Any solution?
Use the API of Dropbox instead of the webview. Then store the value in a variable or temp file and output the result of eval($codeFromDropbox); and delete it if you don't need it anymore.
Dropbox provides you a PHP class (also see the reference) to archive this or you can simply use the global HTTP API Docs to write this small script on your own.
Once you did the authorization as described in the API docs you can simply download any file you have the permissions for.
You can actually include remote files but it is disabled by default:
http://php.net/manual/en/filesystem.configuration.php#ini.allow-url-fopen
ini_set('allow_url_fopen', true);
This is OFF (false) by default because it is a VERY HIGH security risk.
It's also a high security risk using eval(). The whole idea is risky.
Why don't you store and the files on the PHP server you want to execute?
Update:
The ini configuration is allow_url_include, not allow_url_fopen, but you should lookup both.
I am writing a series of functions to interact with third-party APIs that will be included in other PHP scripts. Most of these third-party APIs use token-based authentication, so I would like to store these tokens within the function, but I’m wondering what the best practices are for preventing exploitation of those functions in the included file.
For example, in a script called ~/public_html/includes/functions.php I would define some functions that call a public API using cURL, and then return some sort of response from the API. Then, within my app, I would include ~/public_html/includes/functions.php and call the functions to interact with the third-party APIs.
My concern is what if someone else includes http://www.example.com/includes/functions.php in their script, and starts calling my functions to make API calls using my credentials? Should functions.php live somewhere else, perhaps outside of the ~/public_html dir? Or perhaps I can use UNIX permissions to prevent anyone but my own apps to include the functions.php script?
My concern is what if someone else includes
http://www.example.com/includes/functions.php in their script, and
starts calling my functions to make API calls using my credentials?
Should functions.php live somewhere else, perhaps outside of the
~/public_html dir? Or perhaps I can use UNIX permissions to prevent
anyone but my own apps to include the functions.php script?
You are mixing up a lot of things here. And the long story short: You should not worry. I gave a full explanation on how include works with URLs in this answer. Below is a summary for your purposes.
Specifically, while one could use include to include full URLs like include('http://www.google.com/'); the only thing you get from that include is the final rendered content of the page. 100% none of the functions, classes, variables, strings, constants or anything contained in the internals of that PHP code. Or as very clearly explained in the PHP documentation you are linking to; emphasis mine:
If "URL include wrappers" are enabled in PHP, you can specify the file
to be included using a URL (via HTTP or other supported wrapper - see
Supported Protocols and Wrappers for a list of protocols) instead of a
local pathname. If the target server interprets the target file as PHP
code, variables may be passed to the included file using a URL request
string as used with HTTP GET. This is not strictly speaking the same
thing as including the file and having it inherit the parent file's
variable scope; the script is actually being run on the remote server
and the result is then being included into the local script.
So you cannot include credentials remotely—or any PHP internals—in the way you describe. The only way that could happen is if ~/public_html/includes/functions.php were included locally. That is when PHP internals are exposed.
Or the better way to understand this: When you request a PHP file via http:// or https:// it is parsed & processed via the PHP module in Apache. So it only returns the final product—if any—post often conveyed by an echo statement.
But when you include a file via the local file system it is not parsed by the PHP module in Apache. It is simply raw code. And that is how you can use the functions, classes, variables, strings, constants and anything contained in the internals of that PHP code.
So I'm a bit confused about what crafty users can and can't see on a site.
If I have a file with a bunch of php script, the user cant see it just by clicking "view source." But is there a way they can "download" the entire page including the php?
If permission settings should pages be set to, if there is php script that must execute on load but that I dont want anyone to see?
Thanks
2 steps.
Step 1: So long as your PHP is being processed properly this is nothing to worry about...do that.
Step 2: As an insurance measure move the majority of your PHP code outside of the Web server directory and then just include it from the PHP files that are in the directory. PHP will include on the file system and therefore have access to the files, but the Web server will not. On the off chance that the Web server gets messed up and serves your raw PHP code (happened to Facebook at one point), the user won't see anything but a reference to a file they can't access.
PHP files are processed by the server before being sent to your web browser. That is, the actual PHP code, comments, etc. cannot be seen by the client. For someone to access your php files, they have to hack into your server through FTP or SSH or something similar, and you have bigger problems than just your PHP.
It depends entirely on your web server and its configuration. It's the web server's job to take a url and decide whether to run a script or send back a file. Commonly, the suffix of a filename, file's directory, or the file's permission attributes in the filesystem are used to make this decision.
PHP is a server side scripting language that is executed on server. There is no way it can be accessed client side.
If PHP is enabled, and if the programs are well tagged, none of the PHP code will go past your web server. To make things further secure, disable directory browsing, and put an empty index.php or index.html in all the folders.
Ensure that you adhere to secure coding practices too. There are quite a number of articles in the web. Here is one http://www.ibm.com/developerworks/opensource/library/os-php-secure-apps/index.html
We have several different client directories (each it's own domain) that include/require the central app from a different location on the server. Basically each domain is an extension of the centralized code, but very lean because all the main code doesn't need to be duplicated.
If we wanted to give clients/resellers access to editing their own PHP codes, how would we prevent them from reading the central code that we wish to protect?
Basically we want to prevent them from creating some code that opens, reads, TARs, or somehow outputs the source code, but we must still allow the include.
open_basedir() does almost this; it prevents the opening of the code, but in doing so it also prevents the include.
Are code encryption solutions (e.g. Zend Guard) our only options, or is there a way like open_basedir() that allows includes? I've also though about disabling all the read functions and writing my own that checks the source.
Thoughts?
The answer is no, you cannot give the "read" permission and prevent them from reading...
If they can "include" the code they can also write a simple php script that reads your central app files and print the content to screen, for example.
I believe you cannot restrict reading if you allow reading globally however you could filter the access of your site in .htaccess file with %{REMOTE_HOST} or similar. Basically if you are able to identify your clients from their remote locations by IP or url than I believe you can restrict reading specific directories based on who is accessing the site. Can you give me an example of your PHP code for the reseller access to your side?
I ended up using Smarty to give limited capabilities to clients (templating), while keeping the PHP secure.
Nowadays, Developers and Professionals tend to use PHP templates because of two reasons. They are manageable and secondly, we don't need to advertise our technology as there are no question marks and .php extensions within the URL.
But how to make non-advertisement of your technology possible while sending a jQuery Ajax request to load a PHP file in a div. I mean we would, have to write $.get('phpfile.php') within the script and one can say that voa he is using PHP hmmmm.
Simply, I want to ask is there is any way of loading a PHP through request without advertising your technology as above told.
Some coding will be honored.
But how to make non-advertisement of your technology possible while sending a jQuery ajax request to load a php file in a div. I mean we would, have to write $.load('phpfile.php') within the script and one can say that voa he is using PHP hmmmm.
I don't get it. jQuery doesn't know about PHP files. If your website has 2 "public pages" www.example.com and www.example.com/foo, then you can access to the /foo page from the homepage with something like $.get("/foo"). Here I use AJAX, jQuery, and nobody knows if my page use PHP or whatever.
Then, you should look for mod_rewrite has explained by verisimilitude, but rewriting url is not the unique solution. Have a look to this site http://builtwith.com/ and enter a random url. Web servers send, by default, a lot of data about themselves, so you should avoid that behavior too if you want to "hide" the technology used. Have a look here http://xianshield.org/guides/apache2.0guide.html. It's "a guide to installing and hardening an Apache 2.0 web server to common security standards.". You may find useful information in there.
Edit
And also, "PHP templates" are not related to pages URL at all. For example, you could have multiple URL which use the same "PHP template".
mod_rewrite is the best answer for all your predicaments. Why not use it? The URL phpfile.php in your above code could be rewritten to achieve the obfuscation...
#pomeh. Good point.
See. two things can be done here.
1) Disable the APACHE signature. In the default configuration of Apache, any page served through it will contain a full signature of the server. Server signatures contain valuable information about installed software and can be read (and exploited). Therefore is it safer to turn off this behavior. This is how you do it. Open Apache’s configuration file (httpd.conf or apache2.conf) and search for ServerSignature . Set it to 'Off'. After that search for ServerTokens and set it to 'Prod'.
2) Set "expose_php" in php.ini to false: Exposes to the world that PHP is installed on the server, which includes the PHP version within the HTTP header.
3) There are some php obfuscators available which also may be used. I will not recommend them since I've not personally tried them.
There are ways and means beyond these to hide the "technology". By default, a php enabled APACHE web server processes and interprets all files with .php extension. But we can bind any weirdo extension to hide the technology to be processed by the server..
I guess verisimilitude and pomeh already answered this question.
All web servers send information about themselves over the internet. You cant hide that.
If you want to hide file extensions, like 'aspx, php, asp, html' then you will need to use mod_rewrite under Apache or something like URL Rewrite under IIS7.
You can also set default documents under IIS7. This really only works once per web folder. For example you can set default.htm as one of the default documents. When a visitor goes to your website they type www.domain.com and they get a web page. That visitor is actually looking at www.domain.com/default.htm