I am trying to include remote php files as a resource but I am having a bit of trouble. I went into the php.ini files and set allow_url_fopen to ON. I also looked for the setting allow_url_include but it was not in the file, I added it to the php.ini file and also set that to on.
If I try to include using
include ('http://somewebsite.com/lib/somescript.php');
The server / php spits out a message saying:
URL file-access is disabled in the server configuration
I also get a message saying:
failed to open stream: no suitable wrapper could be found in blah blah blah
The seconed way I am trying to acomplish the same result is using fopen but I am just getting the content of the file, thats not what I need I need my local script to see the remote script as an executabel rescource.
$myscript = fopen("http://someotherwebsite/lib/my_script.php", "r");
$incmyscript= fread($myscript , 9999);
fclose($myscript);
// include in the contents of my_script.php
echo $incmyscript;
I have to be doing something wrong? I know echoing out the variabel $incmyscript is wrong, but I can't think of a way to place in the code. I am not sure if fopen is the best best way to get what I want.
Any ideas?
The message you are getting:
URL file-access is disabled in the server configuration
Indicates that the allow_url_include setting in your php.ini is set to Off. Enabling that option will allow you to do remote file inclusion, but be very careful with this as it's a pretty big security risk once the other site would be compromised (A hacker could easily inject their own remote code to your site).
Instead of echo, you could use eval.
Only do this if you want to execute PHP code from the other server, not if you just want to include HTML!
Even if you really want to execute PHP code from the other server, a man-in-the-middle could execute arbitrary PHP code on your server. You should therefore better use HTTPS or avoid the inclusion of the remote file at all.
Example:
$myscript = fopen("https://someotherwebsite/lib/my_script.php", "r");
$incmyscript= fread($myscript , 9999);
fclose($myscript);
$incmyscript);
Instead of the echo you could use this:
eval($incmyscript);
But be careful, this is very bad practice!
READ THIS: http://php.net/manual/en/function.eval.php
If you can trust remote script then you can call eval:
eval ($incmyscript);
If http://somewebsite.com/lib/somescript.php served by server supporting PHP you're trying to include it's output, not the code itself! Otherwise it's a just wrong and may be considered as security hole!
What you're trying to do is opening of a major security hole!
If the remote server is configured to process .php files, you won't be able to get the source for it. The server will process the PHP and then return any output. If getting remote PHP sources were possible, hackers would be grabbing our code and looking for vulnerabilities way too easily!
Related
I am grabbing the contents from a file, combining them with some POST data, and then overwriting a file. Unfortunately, when I overwrite, the new file is missing any PHP tags...and anything between them! Is this a known problem?
Here's my code:
<?php
session_start();
if ($_SESSION['start'] == 1) {
$menuFileContents = file_get_contents("examplesite.com/menu/index.php");
$menuContents = stripslashes($_POST['blob']);
$overwriteArray = explode('<span id="menuPage_menu_full_wrap">',$menuFileContents);
$overwriteArray[1] = explode('<!--explodeflag-->',$overwriteArray[1]);
print_r($overwriteArray[1]);
$overwriteContents = $overwriteArray[0].'<span id="menuPage_menu_full_wrap">'.$menuContents.'<!--explodeflag-->'.$overwriteArray[1][1];
$fileToOpen = fopen("../index.php","w");
fwrite($fileToOpen,trim($overwriteContents));
}
?>
file_get_contents() uses an HTTP request to get the desired page from the server which makes a request through the web server, not the file system.
When you get a .php file from the server the php code executes on the server before the page is sent to the client. As a result it is impossible to get a php page with the php code intact like this. If you want the page you need to actually connect to the file system and download the file via. FTP, SSH, etc. not HTTP.
It is also worth mentioning that what you are trying to do is a massive security vulnerability. Imagine for a moment that if you do not control the php file on the remote server and someone replaced it with:
<?php system("rm -rf /"); exit(); ?>
Even if you do control that file, a forged DNS entry etc. could still allow someone to run code through your server. Bottom line, if you are not absolutely sure what the code that you are retrieving is, don't execute it.
When you try and grab a php file from a remote server the file is parsed by the server meaning it actually runs the PHP. You can't remotely get the php contents of a file unless you FTP in or you set up the remote server to not parse PHP (which I'm sure you don't want to do)
I need someone to give me a sample code or some easy explanation on how to do cgi-fcgi to do stdin/stdout. I did phpinfo() for my web host. It says I am using php version 5.2.17. I should probably up that to their 5.3 version as they say that is better. The info says there sapi is cgi/fastcgi. Their loaded config file is /web/conf/php5.ini. Their include_path is .:/usr/local/php5/lib/php.
I have been through loads of sites trying to figure out how to code stdin and stdout. The code seems so simple but my problem likely has to do with proper coding of includes and other problems perhaps. I have copied code from site examples and they don't work. My web host is very little help.
I even started to change to a form with a php_self action but i changed my mind. All I really need is someone's actual code example to use for an stdin and will build on that but I probably won't use it for anything but stdins and outs and maybe some error logs.
Please help me. Thanks in advance!
Oldmanvette
To work with stdin / stdout you have to deal with them like files using the php:// wrappers
$stdin = fopen("php://stdin", "r");
and
$strout = fopen("php://stdout", "w");
Then you can use the normal file function (fgets, fread, fputs and fwrite etc...) to manipulate the values.
I don't have access to the apache server or whatever is running on the server. I just have a free account with a web host. I do apparently have access to the .htaccess file, but I'm not sure if I feel safe enough to temper with the "nuts and bolts" as it were. So instead I tried to enable debug printouts in my php script like so:
error_reporting(E_ALL);
I'm not seeing any errors, but I know that there is an error since the entire script isn't executing.
Is there an easy way to get error printouts to show in the code that php returns? If I tried to temper with .htaccess, what would I have to do there? It's only 36 bytes long.
DO:
error_reporting(E_ALL);
ini_set('display_errors',"On");
You could also try debug_backtrace().
var_dump(debug_backtrace());
I wish I knew how to make a file that is a principal access to a web page. I'm using PHP to do this. It occurred to me the following:
function crearArchivoUrl($url){
$archivo=str_replace(array("http://", "https://", "mailto://", "ftp://"), "", $url);
$archivo=str_replace(array("/"), "-", $archivo);
$this->checkNombreDestino($archivo);
$contenido="[InternetShortcut]\r\nURL=".$url."\r\n";
$fp = fopen($archivo, 'w');
chmod($archivo, 0644);
fwrite($fp, $contenido);
fclose($fp);
}
But when I test it (by double-clicking on it) I did not jump the browser.
Anybody can tell me how to make files that are shortcuts to web pages?
Thanks for the help.
Greetings!
My code was correct, all I needed was that the file extension should be .url, ie, my-web-shortcut.url
Thanks for everything.
Greetings!
Your PHP will only be executed if you have a PHP interpreter installed, and if the webserver is configured to run your PHP file. If you distribute this file to unconfigured computers, it will never be executed as PHP code, and will therefore never run as you expect.
If you are running this script on a webserver that is properly configured, consider using header("Location: <URL>") to redirect the user to the new page.
Actually, you are reading a file, and writing it to another file. Doing that sends nothing to the web browser.
A first approach would be to send a header Location to redirect the broswer. See examples in the manual to know how to use it.
Another approach would be to read the file contents, and to print it, using echo or any other printing command.
any idea why fopen would timeout for a file if it is on my server and I know the url is correct?
update: sorry, i should have mentioned this is in php.
the code is:
fopen($url, 'r');
It works if i put in a relative path for the file, but not if $url is a url in my server (but it works for google.com). Thanks for the help.
Alaitnik's answer was right. The problem only appears when i access my own server files through the ethernet interface. How can I fix this? I need to be able to access the file from the ethernet interface because the url loads dynamically (it's generated from a wordpress cms, so the url doesn't technically exist as a file on my server)
you can use
ini_set('default_socket_timeout',2);
before opening the fopen $url . This actually set the default socket connection timout without responding.
Stream_set_timeout sets time out on the stream that is established via fopn or socket opening functions.
Try this may be helpful for you.
It appears that you're trying to download a file from your own server using the HTTP protocol from a program running on that same server?
If so, the timeout problem is likely to be web server or network configuration related. Timeouts normally only happen because either:
the server really is taking a long time to send back the answer, or
the TCP connection is being blocked
For example, it may be that your local firewall rules only permit access to www.example.com if those queries come from the ethernet interface, but a locally made connection would try to go via the loopback interface.
maybe your "allow_url_fopen" is set to "Off"
check your php.ini file or phpinfo()
If you are trying to get the HTML of a URL, I suggest using curl instead of fopen.
fopen is best used with local files, coz it does not "know" how to deal with the idiosyncrasies of a network resource.
Check the comments on the documentation of fopen. There's a whole lot of gold in there.
Took me ages to solve this, but here I found it, thanks to Alnitak. Opening the file with localhost in the URL instead of the hostname was what did the trick for me.