Some people disable the http wrapper for the include function. I need to use a query string when including a file, so I can't include it as a local file. Is it possible for me to override this setting? Can hosting companies make it impossible to override?
As long as I sanitise the input, I should be ok right?
no, you are never OK running the code you've got from a remote server. There are way too many ways to trick you into running something you don't expect. You'd better avoid it. If you are into adventures then you can try it with curl extension which is usually enabled on shared hosting. First get your text via curl
http://php.net/manual/en/function.curl-init.php
then eval it
http://php.net/manual/en/function.eval.php
Related
I was wondering if it is safe to have exec() enabled on my server. I would like to use it to execute a ping command inside a script to check to see if my servers are running. The ip's that are being passed into the exec() function are all hard coded into an array so it should be safe to run.
My worry is exec() could be injected somewhere else on my site via a self referencing form or into the database. Is this possible?
As long as you are the only one with access to the server, it is secure. The problem however occurs when somebody manages to get access to your server. This can be for several reasons, like stupid mistakes in coding, unknowningly creating holes, you lose your password, etc.
If you have exec enabled and somebody does manage to gain access, he can do almost anything with your server. Thats why its disabled in most environments. And i advise you to keep it that way.
If ping is what you want to do, check out how-to-ping-a-server-with-php
Yes. You'll definitely want to disable exec. This is more a debug function than something actually needed in scripts.
If you really need it, you can limit its capabilities, but I would discourage this approach.
Use this to ping a server from PHP.
I'm trying to retrieve some remote XML from another source using PHP. I understand that you're not supposed to enable allow_url_fopen for security reasons, so I'm not really sure how to go about doing this.
You might want to use curl for that. If your XML is available via HTTP, first curl it, then feed it to the XML parser.
Allow_url_fopen isn't unsafe or scary or dangerous per se, it's just that quite often it is disabled on shared hosting for various reasons.
If you control your own hosting environment, I'd say go with it. Otherwise, use curl as suggested.
I'm making a simple web server using PHP and sockets. Everything is working fine right now (static content only). I'm interested in supporting the execution of PHP files.
How would I go about doing this? I don't really want to use eval($fileContents) since that does not seem very secure. Is there some way that I can use FastCGI sockets or something?
What about PHP-CGI?
I've decided on using FastCGI, so
here's a more specific question:
How do I pass files into PHP-CGI and get the output as a string?
php-cgi "phpinfo.php" outputs HTML content like I want.
I understand that I can use sockets but I can't seem to find out what to send into that socket to get the output.
Thanks
what's so insecure in eval($fileContents)? or, more familiar but actually equal include $fileName?
(with proper filename sanitizing of course)
apparently it's no more insane than PHP web server itself.
You could exec() the PHP executable from within your web server. Though you'd also have to finagle the passing of GPC data to the script in question.
I have an XML file I can get via a URL. I know I can get the file using fopen, but sometimes I've seen scripts use curl. Is there an advantage to using curl over fopen to get XML files?
allow_url_fopen, which is required if you want to open a remote file with fopen, can be disabled ; so, there are situations in which fopen('http://...') is not possible.
Note : in this answer, I say "fopen", but it's exactly the same with all PHP functions that can access remote files : fopen, file_get_contents, simplexml_load_file, ...
On the other hand, curl is an extension, and is not always enabled either.
One nice with curl is that it's pretty easy to configure, and there are a lot of existing options (see curl_setopt)
To configure the way fopen accesses remote files, it's a bit trickier -- you'll generally have to work with streams (see here, for example) ; and, generally speaking, there are more people knowing curl than there are developpers mastering streams.
Safest way -- especially if your application will be deployed to servers on which you are not administrator, and cannot re-configure :
Try one solution
And, if it doesn't work, try the other one
Well, if you are going to use SimpleXML to load the file you can use
simplexml_load_file($filename);
However, some servers will restrict loading urls from this function. In this case you would be restricted to cURL.
fopen is simpler to use, and I think not all server setups support curl out of the box. If fopen works fine for you it's probably your best choice.
I am looking for some advice on the best way to retrieve information from a web page (my own site) and then search through that information to find a certain text.
Keeping in mind that some of the servers that run PHP/Joomla do not have cURL enabled, I don't want to cause any unexpected errors.
I've looked at both fopen() and file_get_contents() and both seem to have conflicting views of each other in terms of which will work with/without cURL.
They will both work without curl, but you need to have allow_url_fopen enabled. You can check that by executing phpinfo(). There are security implications however, see this:
Should I allow 'allow_url_fopen' in PHP?
So to grab pages, you can use fopen(), file_get_contents() or some other independent HTTP client implemented in PHP such as HttpClient
that can function without those.