I have an iframe that loads a remote page (not hosted on the same domain). I would like to edit the contents of the page, but of course, this is not possible, since I don't have permissions.
So, I was wondering, if I have FTP access to the site, would there be a work around to the problem? With FTP, I could copy the files of the site over to my domain, and edit them via an iframe. But I was wondering if there is an alternate method.
Actually, yes. If you had FTP access to the site you could do it in theory.
Basically, something like:
// I used jQuery to speed up writing ajax code, really it could be anything else
jQuery.get('?refresh',function(){ // this function is called when the request finishes
// force the iframe to do a complete refresh (hence the random token)
jQuery('#iframe').attr('src','http://targetsite.com/somefile.php?r='+Math.random());
});
And:
// if the variable in question was set...
if(isset($_REQUEST['refresh'])){
// the following requires "allow_url_fopen" config to be on
// otherwise, you could use any other PHP FTP library
file_put_contents('ftp://username:password#targetsite.com/somefile.php','Hello');
}
Why use iFrames? If you need to load the content of a page hosted on another server, you could grab its content with cURL or some of the PHP file wrappers, e.g. the PHP readfile function. Viola!
If you used readfile(..) you can also make edits to the file content you've loaded before you display it. If you have permission, you could also use include() to read the file via HTTP if you are certain that a valid PHP file will be returned from your request.
Related
Is it possible using the header() function or perhaps another php function to pass a file to the browser locally?
I am currently using Chrome. I have the Office Editing for Docs extension installed which essentially allows me to open Word docx files locally into my Chrome browser by passing the full directory and file name into the URL address bar of Chrome. This essentially opens the Word file in Chrome. I would like to accomplish this task in php
I have tried the following below but no luck.
header( 'Location: file://c:\users\jbloggs\desktop\test.docx' );
I know the header() function is primarily used for redirecting to a web page
header( 'Location: http://www.google.com' );
Any help much appreciated.
It doesn't work this way, because you are trying to redirect from a remote server to a local file path. Chrome doesn't accept this because of security considerations. Note that it doesn't matter whether your web server is running on the same physical machine, it is seen as a separate server from your local file system. You can however accomplish this task using normal HTML:
Document
If you save this to a static HTML file and open it in your browser you should upon click be redirected to the document. If you want a direct redirect, use JavaScripts window.location You cannot however serve the file from a HTTP Server, like mentioned above.
If you want to do so, you have to serve the .docx file from your server as well, by including it as static content and then linking to it via HTTP as well.
Hope this helps!
I have a PHP script called constants.php, in there I have a lot of valuable data, like my MySQL information, etc.
Is it possible to access that script outside my machine? Lets say, using the following: include http://www.fakewebsite.com/config/constants.php
Well, yes and no.
Yes: They will be able to access the output of the file constants.php (however most likely it will be blank).
No: They won't be able to access your variables. You can only access these before PHP has been parsed.
Let's read the docs:
If "URL fopen wrappers" are enabled in PHP (which they are in the
default configuration), you can specify the file to be included using
a URL (via HTTP or other supported wrapper - see Supported Protocols
and Wrappers for a list of protocols) instead of a local pathname. If
the target server interprets the target file as PHP code, variables
may be passed to the included file using a URL request string as used
with HTTP GET. This is not strictly speaking the same thing as
including the file and having it inherit the parent file's variable
scope; the script is actually being run on the remote server and the
result is then being included into the local script.
So you can actually load external files (if your admin allows you to). However, is it going to be useful in your case? Open http://www.fakewebsite.com/config/constants.php in your web browser and open the "View Source" menu. Whatever you see there, it's what your PHP script will see (most likely, a blank page).
Last but not least... Supposing that the remote server is configured to not execute *.php files or contains a PHP script that generates PHP code, why would you want to post all that valuable and sensitive data to the Internet?
If the URL is publically accessible, then yes, anyone can read it from the URL, including scripts.
However the key part here is that they will access the output of constants.php, not the file itself. They'll get exactly the same output as you would if you accessed the file from a web browser.
What they cannot do is include your actual PHP code by calling the URL. The URL is not a direct connection to the PHP file; it's a connection to the web server. The web server then processes the PHP file and provides the output. As long as the web server is processing the PHP file before sending the output, then your PHP code is safe. It can't be seen via the URL.
There may be other ways of getting at it, but not that way.
Yes, so long as you have access to the script, you can include it within your own scripts.
I want to deny visitors access to pages but still use the pages. How can I:
~ Make a page unviewable but allow it to process ajax requests.
~ Make a PHP file unviewable but include it in scripts.
It seems I need htaccess. I tried using it but it stopped me from using the file as an include.
For the ajax only thing, it seems I can use this in the ajax-only page:
<?php
$AJAX = (isset($_SERVER['HTTP_X_REQUESTED_WITH']) &&
$_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest');
if ($AJAX){
// echo ajax code.
}
?>
Is this reliable?
TAGS: only via ajax
One way to accomplish your second question about making it so a script is available for server-side inclusion and usage but not accessible from a client is to add this to an .htaccess file in the folder containing the scripts you wish to protect in this way:
deny from all
Try browsing to the script now and you should not be able to get to it. This works for the entire directory the .htaccess file is placed in.
Another way of 'shielding' the php file from access by clients through the web server like this is by placing the php files in a directory outside your wwwroot/public_html.
In your PHP config you'll have to add this dir to your include-search path, or simply include it via the correct relative path, or by using absolute paths.
For example, if you have root_containing_folder/wwwroot/index.php and root_containing_folder/app/core.php, in index.php you could have
require_once('../app/core.php');
and core would be included, but a browser could never get to core.php on its own. (If they could, it would have to be through a URL like www.facing-site.com/../app/core.php -- which your web server should never allow!)
You can't do those things: when an script makes an AJAX request, it's the user's browser that sends the request. If you want client-side scripts to see your content, browsers must be able to see it.
You can apply some security-through-obscurity, for example by putting some kind of auth token in the script. This won't give you much protection, as all a user has to do is read the JS to get the token, but it will stop casual visitors from poking around. Your 'if XHR' is effectively doing this - a browser won't normally send that header if the address is put in the address bar, but a user can easily get the same effect outside of your AJAX code.
So I know how to upload a file to a web-server with PHP. Instead of uploading it though, I just want to read the data from the file and use it, WITHOUT the upload part. Could someone link me up or give me an example plz?
from HTML, the file is always uploaded to the server, to a temp directory. if from PHP you don't move it to another directory, it will be deleted later, but you can still use it and read it on the script that handles the upload, as shown in the example of is_uploaded_file()
The only way to do that is to send the data of the file via POST and work with it via something like
$postData = file_get_contents( 'php://input' );
PHP is a server-side language, which means it either needs a server-side copy of the file (since it can't access the client) or you need to send parts of the file via common HTTP request methods that PHP can work with (POST or even GET)
There may be a way using JavaScript, but I can't think of any
a javascript possible solution:
https://developer.mozilla.org/en/DOM/FileReader
not cross-browser, works only in firefox and webkit html5 api compatible versions
I have a link to a download to a file that calls a php script before it starts downloading the file. Is it possible to somehow get the location of the file that is to be downloaded directly (maybe through some browser plugin)?
I need this because I want to use wget on another system to download the file directly. A problem might be authentication because I need to provide a username and password, but getting the file location URL is the first step I think.
Thanks,
Ivan
If the PHP script directly reads the file, no, you will never get the real location of that file.
If it redirects to it, yes, it's possible using the Firebug "net" tab or Live HTTP headers extension.