Forum Moderators: coopster
Because the algorithms are proprietary in nature and some of the services use a large set of data in my MySQL database, I don't want to just hand over the PHP scripts to interested webmasters, but instead only the URLs to the scripts on my server. The idea is that the remote webmaster uses the file_get_contents() function with the URL of my PHP script as the parameter. Something like
$result = file_get_contents( "ht*p//example.com/my-script?var1=1&var2=2" );
I know there are security problems when including PHP scripts from a remote location and that is why remote including is switched off by default. Hackers can exploit the ability to run remote scripts by executing their code on a remote server from your PHP instance. But as far as I have researched, using the include technique with file_get_contents() only gives a string which can be processed further by the calling PHP instance. My remote scripts should have no interference with variables declared in the calling script and have no execute privilliges on the calling server because both the calling and serving PHP scripts are executed in different instances of PHP.
Is this a safe way of providing my services to others, or are there better ways to do this?
The security issue is for the people using your script. As they have no control, so you could do what you wanted. However there are plenty of people that offer services like you are talking about, so they must be used.
file_get_contentsto read the entire file into a string from a URL is not in and of itself dangerous. First, as you noted, delivering the appropriate document from your site is not an issue. That is done via browsers everyday. There is no difference between a user typing
http://www.example.com/my-script?var1=1&var2=2into the browser and somebody else using
file_get_contentsto get the intended resource. You are going to deliver the same either way. You cover your own behind by scrubbing any GET request data before you process, format and respond.
The receiving site is only in as much danger as they will allow too. And quite honestly, if you are a trusted business partner they are going to want or need to request the information and display it! That may be in an <iframe> or it may be read in using
file_get_contents, curl, ... whatever. The issue comes in when you have a look at PHP security and the level of lockdown that is occurring across the board. More and more shared hosting providers are turning off
allow_url_fopenby default as that is what is being recommended to them. Therefore, anybody trying to retrieve data via
file_get_contentsfrom an external URL is going to get errors or broken code, including well-written code which relies upon this feature.
allow_url_fopenis of changeable type
PHP_INI_SYSTEMso the entry could be set in
php.inior
httpd.conf-- but good luck with that on a shared host.
I figure it is your job to offer the data in as many formats as you think you could/should (http/html, xml, txt, etc) and how your end user decides to access and display it is their choice, their issue. If they are on shared hosting and are not allowed to retrieve it via the method they desire and their host is unwilling to override this setting for a particular domain/file on their end then they have to make some decisions about their hosting provider I guess.
