Is a .php file protected from inclusion in outside domains?

nc wrote:

If www.any1.com has a lib\file1.php, can someone at
www.any2.com include the script

Yes, but only the output of the script would be included. So no php code
available to any2.com.

--
E. Dronkert

On Sat, 03 Dec 2005 17:44:18 GMT, nc <ra***@noone.nowhere> wrote:

If www.any1.com has a lib\file1.php, can someone at
www.any2.com include the script and access the items
in the script? Is it safely protected, or would we need
to handle such protections ourselves?

I.e.,

<?php include("http://www.any1.com/lib/file1.php");
// misc code which checks the defined variables...
echo(pw);
?>

I don't have a system right at the moment to test this.

Thanks, Ralph.

I'm usually putting all my lib files into one directory and protect it
with .htaccess file. So they are inaccessible for outer requests. But even
without it - the remote caller will see only script result output.


--
Exact Meta Search | Major Search Engine http://exactsearcher.com
Web Design Essex | Multimedia | Printing http://nextwave.co.uk

nc wrote:

If www.any1.com has a lib\file1.php, can someone at
www.any2.com include the script
Yes.
and access the items in the script?
No.
include("http://www.any1.com/lib/file1.php");

This is equivalent to

readfile("http://www.any1.com/lib/file1.php");

in that only the script's output (but not its internal environment)
will be captured.

Cheers,
NC

NC wrote:

nc wrote:

If www.any1.com has a lib\file1.php, can someone at
www.any2.com include the script

Yes.

and access the items in the script?

No.

The above it true, but your can also stop them from accessing the
'output' for the script as well. Set a special constant in your calling
PHP scripts and have the included script check for the constant to
insure it is an 'authorized' include.

Calling PHP:

<?php
define("THE_MAGIC_WORDS", TRUE); //Your special constant
require_once("myincludes/included.php');
//the rest of your script here
...

In the included PHP:
<?php
if(!defined("THE_MAGIC_WORDS")){
die("Tisk-tisk! Do you have my permission to use this file?");
}
//the rest of your script here
...

If the server is set up correctly they should never be able to see your
actual code, just the output.
--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

Thanks Jonathan and NC. :-)

I completely overlooked the variable's existing only
in the hosting server. So, on to the next issue that
comes up. I imagine that if two domains exist upon
one server, any1.com and any2.com, that the PHP
environments applied to each environment are 100%
independent of each other. Is this correct?

Let's take it one step farther and say any1.com is
permitted to trust any2.com, meaning any2.com gets
access to things on any1.com... I don't even know if
this is really possible on Apache servers, but I've
read that it's possible on Microsoft NT servers. And
even with the trust configured in a manner that provides
execution rights... (maybe this is a per server-type issue
dependent upon a method of installation) are the PHP
environments mutually exclusive and independent of
each other? Is it possible for two domain names to
use a shared install of PHP or is this the way it's done
on all servers (and perhaps this should be an Apache
question concerning this topic)?

I'm trying to get a feel for the security measures required
and appreciate any and all help.

Thanks, Ralph.

nc wrote:

I completely overlooked the variable's existing only
in the hosting server. So, on to the next issue that
comes up. I imagine that if two domains exist upon
one server, any1.com and any2.com, that the PHP
environments applied to each environment are 100%
independent of each other. Is this correct?
It depends on how the server is configured.
I'm trying to get a feel for the security measures required

Then read up on PHP's safe mode:

http://www.php.net/features.safe-mode

Cheers,
NC