SitePoint Sponsor

User Tag List

Results 1 to 19 of 19
  1. #1
    SitePoint Guru
    Join Date
    Mar 2002
    Posts
    608
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Security and remote hosting question

    I know .inc files are not secure as they can be viewed, however, if I want to have one website include a file from another, so I can share db connect info/other stuff and not have to change files on each server, I can't get the
    php code to properly work on the other domain where I offer the include function.

    For ex.) If site1.com tries to include a file on site2.com,
    the php code from site2.com is useless.

    How woudl I be able to securly parse that data from another server so if I add it on 5/10 other sites I can just edit ONE php file on site2.com and control the data on the other sites?

    I searched this forum and can't find a sure fire solution. I know if I deny files with .htaccess I am stuck and .inc files will likely work, but they are a security nightmare.

    Thanks

  2. #2
    Keep it simple, stupid! bokehman's Avatar
    Join Date
    Jul 2005
    Posts
    1,933
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    server 2 would be password protected and server 1 would have to log in to be able to access the files. That would offer a medium level of protection but it all depends what level of security you think the files need.

  3. #3
    SitePoint Guru
    Join Date
    Mar 2002
    Posts
    608
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That's my dilema. What does one do to ensure an include file gets through? That is where I am lost, I guess. I haven't seen any real world examples of doing this with php pages/code.

  4. #4
    Non-Member Icheb's Avatar
    Join Date
    Mar 2003
    Location
    Germany
    Posts
    1,474
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You could have a system where the settings file is a php file on server A and only if the correct file from the correct server B accesses that settings file it outputs the php code, otherwise it would just return a blank page.

  5. #5
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    simple example.

    PHP Code:
    <?php

    $password 
    'foo';

    if (!isset(
    $_GET['password'])) {
        exit;
    }
    if (
    $_GET['password'] !== $password) {
        exit;
    }

    echo 
    '<?php

    // all your php code here




    ?>'
    ;

    however, your password is going to be stored in web caches and server logs now because it is part of the url. you could send the password via post if you like, eg using fsockopen()

    but if you want my advice, dont do remote includes.

  6. #6
    SitePoint Guru
    Join Date
    Mar 2002
    Posts
    608
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    But how does one do that? Is this .htaccess? Configuring apache?

    I read somewhere to use:
    <Files ~ "\.inc$">
    Order allow,deny
    Deny from all
    </Files>

    But of course my include won't work.

    Thanks. I will look at .htaccess/apache solutions as well. I just figured somebody here has done this. It's curious that we don't see more topics/articles on this.

  7. #7
    SitePoint Guru
    Join Date
    Mar 2002
    Posts
    608
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Clamcrusher>>

    For site1, where index.php includes www.site2.com/page.php
    how would I activate that?

    On edit...I missed the bottom part...

    So, that would mean I am using this on site1.com

    include("www.site2.com/page.php?password=xxxx");

    ?

    I guess the reason I am confused is because anytime I tried to include another server's php data (connect info for a db, for instance) I get nothing. I did use (http://) in the include, though.

  8. #8
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    include 'http://othersite.com/foo.php?password=foo';

  9. #9
    Non-Member Icheb's Avatar
    Join Date
    Mar 2003
    Location
    Germany
    Posts
    1,474
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Did you actually read my response?

  10. #10
    SitePoint Guru
    Join Date
    Mar 2002
    Posts
    608
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Is:
    echo '<?php

    // all your php code here

    ?>'
    ;

    Required for parsing? On edit, I see that it is. I just was a bit confused at first. I am working on this now...thanks.

  11. #11
    SitePoint Guru
    Join Date
    Mar 2002
    Posts
    608
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    icheb>>Yes, and I asked you how to make that work. I never had to change settings to the point where I could have such control. The idea sounds great, I just don't know *how* to do that.

  12. #12
    Keep it simple, stupid! bokehman's Avatar
    Join Date
    Jul 2005
    Posts
    1,933
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Icheb
    correct file
    I can't see how that fits in with the http protocol. What is the mechanism.

  13. #13
    Non-Member Icheb's Avatar
    Join Date
    Mar 2003
    Location
    Germany
    Posts
    1,474
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by jbh
    icheb>>Yes, and I asked you how to make that work. I never had to change settings to the point where I could have such control. The idea sounds great, I just don't know *how* to do that.
    Initially I wasn't refering to .htaccess rules, which is why I assumed you talked to clamcrusher. However, you bringing up .htaccess reminded me of a better way:

    <Files secretsettingsfile.php4>
    order deny, allow
    deny from all
    allow from .serverB.com
    </Files>

    Put that in your .htaccess file. It will prohibit any attempt to access the file from any domain other than .serverB.com .

  14. #14
    SitePoint Guru
    Join Date
    Mar 2002
    Posts
    608
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    clamcrusher>>Using that code, I can't quite use it to connect to a db. I'll get parse errors with "" in the strings for insert statements or blank page.

  15. #15
    SitePoint Guru
    Join Date
    Mar 2002
    Posts
    608
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    icheb>>Thanks. Since many other sites will use it, I am referring to that server, not just the domain, right?

    Thanks.

  16. #16
    Non-Member Icheb's Avatar
    Join Date
    Mar 2003
    Location
    Germany
    Posts
    1,474
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by jbh
    I'll get parse errors with "" in the strings for insert statements or blank page.
    You would have to escape those characters of course.

    Quote Originally Posted by jbh
    icheb>>Thanks. Since many other sites will use it, I am referring to that server, not just the domain, right?

    Thanks.
    I added an emphasis just for you in my above post.

  17. #17
    SitePoint Guru
    Join Date
    Mar 2002
    Posts
    608
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    since I will offer access to plenty of domains, I will have site3.com, site4.com and site10.com do the same. Do I just use a comma list for them ? (I can have shell script dynamically generate this file so that is not a concern)

    Thanks so much for your time. I love learning new things. Tremendous help.

  18. #18
    Non-Member Icheb's Avatar
    Join Date
    Mar 2003
    Location
    Germany
    Posts
    1,474
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If it's easier to specify the IP address you can use

    allow from 127.0.0.1

    otherwise, if you want to specify all domains, use

    allow from .siteA.com
    allow from .siteB.com

    You can probably also use something like

    allow from .siteA.com .siteB.com

    but I haven't used .htaccess in a while.

  19. #19
    SitePoint Guru
    Join Date
    Mar 2002
    Posts
    608
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I guess IP is the best idea.

    Thanks


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •