Page 1 of 1

[SOLVED] HELP: allow include() just from my server

Posted: Sat Oct 23, 2004 1:45 am
by Sir-Alucard
Hi. I'm new to php and I was concerned about the include feature of php. I am using it right now for my scripts but I dont want other people to include my scripts to theirs. I just want that my script verifies from what server was the script called or included.

I did this as an example but DIDN'T WORKS because both ($_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST']) gave me the server where the included file is and not from where it was included:

Code: Select all

<?php

if($_SERVER['SERVER_NAME'] != $_SERVER['HTTP_HOST']){
    $ERROR = // Error to display
    exit($ERROR);
}

// Everything is ok

?>
Any help? Thanks in advance and sorry for my english.

Posted: Sat Oct 23, 2004 2:34 am
by timvw
you could also post/get a password to the script, and test if it's the right one.

or look to $_SERVER['REMOTE_ADDR']

Posted: Sat Oct 23, 2004 3:20 am
by Sir-Alucard
Thank you, that worked well for what i was looking for. I've used this method:
@require('somefile.php?somevar=accessword');

Posted: Sat Oct 23, 2004 3:34 am
by rehfeld
the thing is, they can still get your files when doing stuff like that

file_get_contents('usr/your_doc_root/script.php');

then save it, and use it. but if thats not what your worried about
you could make sure that the parent script(the one doing the include) is in your doc root, if not, exit();



maybe

Code: Select all

<?php

if ($_SERVER['DOCUMENT_ROOT'] !== 'hardcode/your/docroot/here') {
    exit;
}

?>

this is why php offers safe mode, and open_basedir. its a non ideal solution to shared hosting security problems. But its usually the best solution...

but really, if someone is trying to mess with you, and shares the server w/ you, your not gonna stop them w/ this kinda stuff...no matter what you do w/ php, remember, they can prob still use cgi

Posted: Sat Oct 23, 2004 1:37 pm
by Sir-Alucard
Thanks for your post rehfeld, nobody is sharing the server with me but, as I said, I'm new to php and I didn't know about the "file_get_contents" function. Thanks for the information.

And to clarify my last post, to not get confused any newbie like me, the method I used before doesn't works correctly:
@require('somefile.php?somevar=accessword');

It's better to use something like this, and works:

Code: Select all

<?php

// test.php
$somevar='accessword';
/*includes the file just once (if you are using classes, avoids re-declarations) or die() if the file isn't found */
@require_once('somefile.php'); // @ means don't display errors

// somefile.php
// If it isn't declared and doesn't match
if(!isset($somevar) || $somevar != 'accessword'){
    $ERROR = "Access denied to include the file";    
    exit($ERROR); // Terminates the script
}
echo "Access granted to include the file";

?>
I hope this helps someone.