I know how to find out the current domain name in PHP already, the problem is when I put this code into a file and then include it from another server it shows the domain name of where the file is located. Is there any way for it to find out the domain or the site containing the include() code?
Are you doing something like:
include 'http://example.com/script.php';
?
NB: This approach generally considered to be a bit of no-no from a security point of view.
Anyway, the included script is actually being executed on the other server, then the output of the script is being executed on the current server. You can get around this by echoing actual code, something like this:
Currently:
<?
//do something
echo '$v = '.$_SERVER['HTTP_HOST'].';'
?>
Other way:
<?
//do something
?>
$v = $_SERVER['HTTP_HOST'];
But then maybe I'm misunderstanding your question.
You can run it locally using "eval" then it should use the proper domain
store your script as a text file then download it and then execute:
eval(file_get_contents("http://someDomain.com/somePhpscript.txt"));
If you include a PHP page from another server, the page will get parsed by the original server and the result will be sent to you - the page you receive is nothing but text, no PHP code included.
This is a crude hack, but on the remote server, you could look up the domain name of $_ENV['REMOTE_HOST'].
This would be the domain name of the guy doing the "include" from the perspective of the remote server.
I assume you have some reason for wanting to implement this strange topology--restrictions in a virtual host environment, or something. I would suggest looking into alternative infrastructure if possible.
Related
I've read so many different inputs on this, so I figured I would ask on here.
Is there anything wrong or dangerous about using full links inside a php include?
Examples,
<?php include('http://www.domain.com/blah.php'); ?>
<?php
define('WEB_ROOT', './'); // relative path to /
include('layout.php');
?>
compared to using
<?php
include('../blah.php');
?>
include('http://www.domain.com/blah.php') goes out and makes an actual HTTP request to the web server, returning the contents of the URL after the web server has processed them, just as you'd see when entering that URL in your browser.
include('../blah.php') includes the local file from disk one directory higher.
The two are completely different things and you do not want to include a URL when you mean to include a local file. Even if the two are supposedly the same file, PHP cannot know that. Accessing a URL and accessing a local file path are entirely different things. It's not possible to infer that the two are the same.
<?php include('http://www.domain.com/blah.php'); ?> is very dangerous, you can't know in 100% what is the code you will get!!! becuse PHP do HTTP request and someome can do ManInTheMiddel attack and to change the code you will get, and to hack your site.
I am experiencing some very strange behavior when including a php file.
I need to load a script that is not on the same domain as the page that will be calling it.
I have already created a system that works using cURL, but I just recently found out that many of the sites that will need to have access to this script, do not have cURL installed.
I did, however, notice that these sites have allow_url_fopen set to on. With this knowledge I got started creating a new system that would let me just include the script on the remote site.
Just testing this out, I coded the script test.php as follows:
<?php
echo("test");
?>
I include this script on the remote page using:
<?php
include("http://mydomain.com/script.php");
?>
and it works no problem and "test" is printed at the top of the page.
However, if I add a function to the script and try to call the function from the page, it crashes.
To make it worse, this site has php errors turned off and I have no way of turning it on.
To fully make sure that I didn't just mess up the code, I made my test.php look like this:
<?php
function myfunc()
{
return "abc";
}
?>
Then on the page including the file:
<?php
include("http://mydomain.com/script.php");
echo(myfunc());
?>
And it crashes.
Any ideas would be greatly appreciated.
This is not odd behavior, but since you load the file over the internet (note in this case the World Wide Web), the file is interpreted before it is sent to your include function.
Since the script is interpreted no functions will be visible, but only the output of the script.
Either load it over FTP or create an API for the functions.
My guess: The PHP of http://mydomain.com/script.php is interpreted by the web server of mydomain.com. All you're including is the result of that script. For a simple echo("test"), that's "test". Functions do not produce any output and are not made available to the including script. Confirm this by simply visiting http://mydomain.com/script.php in your browser and see what you get. You would need to stop mydomain.com from actually interpreting the PHP file and just returning it as pure text.
But: this sounds like a bad idea to begin with. Cross-domain includes are an anti-patterns. Not only does it open you up to security problems, it also makes every page load unnecessarily slow. If cross-domain inclusions is the answer, your question is wrong.
You are including the client side output from test.php rather than the server-side source code. Rename test.php to test.phpc to prevent executing the script. However this is dangerous out of security point of view.
I'm trying to dynamically detect the root directory of my page in order to direct to a specific script.
echo ($_SERVER['DOCUMENT_ROOT']);
It prints /myName/folder/index.php
I'd like to use in a html-file to enter a certain script like this:
log out
This seems to be in bad syntax, the path is not successfully resolved.
What's the proper approach to detect the path to logout.php?
The same question in different words:
How can I reliably achieve the path to the root directory (which contains my index.php) from ANY subdirectory? No matter if the html file is in /lib/subfolder or in /anotherDirectory, I want it to have a link directing to /lib/logout.php
On my machine it's supposed to be http://localhost/myName/folder (which contains index.php and all subdirectories), on someone else's it might be http://localhost/project
How can I detect the path to application root?
After some clarification from the OP it become possible to answer this question.
If you have some configuration file being included in all php scripts, placed in the app's root folder you can use this file to determine your application root:
$approot = substr(dirname(__FILE__),strlen($_SERVER['DOCUMENT_ROOT']));
__FILE__ constant will give you filesystem path to this file. If you subtract DOCUMENT_ROOT from it, the rest will be what you're looking for. So it can be used in your templates:
log out
Probably you are looking for the URL not the Path
log out
and you are not echoing the variable in your example.
Your DOCUMENT_ROOT is local to your machine - so it might end up being c:/www or something, useful for statements like REQUIRE or INCLUDE but not useful for links.
If you've got a page accessible on the web - linking back to a document on C: is going to try and get that drive from the local machine.
So for links, you should just be able to go /lib/logout.php with the initial slash taking you right to the top of your web accessible structure.
Your page, locally - might be in c:/www/myprojects/project1/lib/logout.php but the site itself might be at http://www.mydomain.com/lib/project.php
Frameworks like Symfony offer a sophisticated routing mechanism which allows you to write link urls like this:
log out
It has tons of possibilities, which are described in the tutorial.
Try this,
log out
This jumps to the root directly.
DOCUMENT_ROOT refers to the physical path on the webserver. There is no generic way to detect the http path fragment. Quite often you can however use PHP_SELF or REQUEST_URI
Both depend on how the current script was invoked. If the current request was to the index.php in a /whatever/ directory, then try the raw REQUEST_URI string. Otherwise it's quite commonly:
<?= dirname($_SERVER["SCRIPT_NAME"]) . "/lib/logout.php" ?>
It's often best if you use a configurable constant for such purposes however. There are too many ifs going on here.
I'm trying to figure this out for PHP as well. In asp.net, we have Request.ApplicationPath, which makes this pretty easy.
For anyone out there fluent in PHP who is trying to help, this code does what the OP is asking, but in asp.net:
public string AppUrl
{
get
{
string appUrl = Request.Url.GetLeftPart(UriPartial.Authority) + Request.ApplicationPath;
if (appUrl.Substring(appUrl.Length - 1) != "/")
{
appUrl += "/";
}
// Workaround for sockets issue when using VS Built-int web server
appUrl = appUrl.Replace("0.0.0.0", "localhost");
return appUrl;
}
}
I couldn't figure out how to do this in PHP, so what I did was create a file called globals.php, which I stuck in the root. It has this line:
$appPath = "http://localhost/MyApplication/";
It is part of the project, but excluded from source control. So various devs just set it to whatever they want and we make sure to never deploy it. This is probably the effort the OP is trying to skip (as I skipped with my asp.net code).
I hope this helps lead to an answer, or provides a work-around for PHPers out there.
i have some problem i try to get the uri in php.
I'm using:
$_SERVER['REQUEST_URI']
It works just fine if i do it in the index.php, but, i NEED to get the url in a include file, but, when i do it, it takes the FILE adress, i mean, it shows something like this
adress bar: www.webpage.com/index.php
$_SERVER['REQUEST_URI'] output: webpage/includefile.php
I am explaining myself here? Thanks!
How are you including the file? If it's being included via an HTTP reference then it's actually being served as a page and the functionality you are seeing is correct. If the include path is a local file, you shouldn't be seeing this behaviour
Found this whilst trying to solve the same issue.
My solution that worked is to use $_SERVER['HTTP_REFERER']
This worked well in that it also included the parameters (e.g. ?this=that&foo=bar)
Maybe somewhere in your code (or in another include file) the value is overwritten.
Recently I created a script that accesses another script to run it. The only way the second script will run, is if it is accessed from the same server. To accomplish this I've made a simple if ($_SERVER['REMOTE_ADDR'] == "XXX.XXX.XXX.XXX") {
(Obviously the XXX.XXX.XXX.XXX is replaced with my server's IP.)
However, I'd like the script to be more portable, so I want it to somehow detect the IP of the same server or something.
Suggestions? Or is this even possible?
A better approach would be to store the second script outside of webroot.
To answer your question $_SERVER['SERVER_ADDR'] will return the IP Address of the server where the current script is executing, but yeah there's better ways to do this, such as making the script unable to be accessed from the web in the first place.
http://php.net/manual/en/reserved.variables.server.php
You could always do something like...
if($_SERVER['REMOTE_ADDR'] == $_SERVER['SERVER_ADDR'] ){
// Do my stuff
} else {
header("Location: http://elsewhere.com");
}
This solution is tied to Apache, but you could copy the idea of stopping hot-linkers linking to your images, just change the parameters to fit your named scripts, or put those local-access only scripts in a single folder - might be a bit more manageable.
http://altlab.com/htaccess_tutorial.html