Security and remote hosting question

[jbh]

I know .inc files are not secure as they can be viewed, however, if I want to have one website include a file from another, so I can share db connect info/other stuff and not have to change files on each server, I can't get the
php code to properly work on the other domain where I offer the include function.

For ex.) If site1.com tries to include a file on site2.com,
the php code from site2.com is useless.

How woudl I be able to securly parse that data from another server so if I add it on 5/10 other sites I can just edit ONE php file on site2.com and control the data on the other sites?

I searched this forum and can't find a sure fire solution. I know if I deny files with .htaccess I am stuck and .inc files will likely work, but they are a security nightmare.

Thanks

[bokehman]

server 2 would be password protected and server 1 would have to log in to be able to access the files. That would offer a medium level of protection but it all depends what level of security you think the files need.

[jbh]

That's my dilema. What does one do to ensure an include file gets through? That is where I am lost, I guess. I haven't seen any real world examples of doing this with php pages/code.

[Icheb]

You could have a system where the settings file is a php file on server A and only if the correct file from the correct server B accesses that settings file it outputs the php code, otherwise it would just return a blank page.

[clamcrusher]

simple example.

PHP Code:

<?php

$password = 'foo';

if (!isset($_GET['password'])) {
    exit;
}
if ($_GET['password'] !== $password) {
    exit;
}

echo '<?php

// all your php code here




?>';

however, your password is going to be stored in web caches and server logs now because it is part of the url. you could send the password via post if you like, eg using fsockopen()

but if you want my advice, dont do remote includes.

[jbh]

But how does one do that? Is this .htaccess? Configuring apache?

I read somewhere to use:
<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>

But of course my include won't work.

Thanks. I will look at .htaccess/apache solutions as well. I just figured somebody here has done this. It's curious that we don't see more topics/articles on this.

[jbh]

Clamcrusher>>

For site1, where index.php includes www.site2.com/page.php
how would I activate that?

On edit...I missed the bottom part...

So, that would mean I am using this on site1.com

include("www.site2.com/page.php?password=xxxx");

?

I guess the reason I am confused is because anytime I tried to include another server's php data (connect info for a db, for instance) I get nothing. I did use (http://) in the include, though.

[clamcrusher]

include 'http://othersite.com/foo.php?password=foo';

[Icheb]

Did you actually read my response?

[jbh]

Is:
echo '<?php

// all your php code here

?>';

Required for parsing? On edit, I see that it is. I just was a bit confused at first. I am working on this now...thanks.

[jbh]

icheb>>Yes, and I asked you how to make that work. I never had to change settings to the point where I could have such control. The idea sounds great, I just don't know *how* to do that.

[bokehman]

correct file

I can't see how that fits in with the http protocol. What is the mechanism.

[Icheb]

icheb>>Yes, and I asked you how to make that work. I never had to change settings to the point where I could have such control. The idea sounds great, I just don't know *how* to do that.

Initially I wasn't refering to .htaccess rules, which is why I assumed you talked to clamcrusher. However, you bringing up .htaccess reminded me of a better way:

<Files secretsettingsfile.php4>
order deny, allow
deny from all
allow from .serverB.com
</Files>

Put that in your .htaccess file. It will prohibit any attempt to access the file from any domain other than .serverB.com .

[jbh]

clamcrusher>>Using that code, I can't quite use it to connect to a db. I'll get parse errors with "" in the strings for insert statements or blank page.

[jbh]

icheb>>Thanks. Since many other sites will use it, I am referring to that server, not just the domain, right?

Thanks.

[Icheb]

I'll get parse errors with "" in the strings for insert statements or blank page.

You would have to escape those characters of course.

icheb>>Thanks. Since many other sites will use it, I am referring to that server, not just the domain, right?

Thanks.

I added an emphasis just for you in my above post.

[jbh]

since I will offer access to plenty of domains, I will have site3.com, site4.com and site10.com do the same. Do I just use a comma list for them ? (I can have shell script dynamically generate this file so that is not a concern)

Thanks so much for your time. I love learning new things. Tremendous help.

[Icheb]

If it's easier to specify the IP address you can use

allow from 127.0.0.1

otherwise, if you want to specify all domains, use

allow from .siteA.com
allow from .siteB.com

You can probably also use something like

allow from .siteA.com .siteB.com

but I haven't used .htaccess in a while.

[jbh]

I guess IP is the best idea.

Thanks