Page 1 of 1

pass variable to included file from other domain

Posted: Tue Oct 04, 2005 5:01 pm
by tkarven
hi, i made an affiliate system, where various different affiliate site might link to main site and display some contents from main site. so i created some file in main site solely for this external linkage problem.

my problem is, how can we pass variable from these external file to the main file? i'm using readfile() instead of <iframe> because it embed into the external site better from the terms of design. however, when i declare a variable, e.g.

Code: Select all

$v1="testing";
from the external site, and try to read it's value from main site using

Code: Select all

echo $v1
it dont work.

same happen to $_SESSION, or global, it still not working. Notes that these external site and main site will have different domains, so will that be a problem ?

Posted: Tue Oct 04, 2005 7:55 pm
by feyd
if the external page is processed by php on that site you will not see any of the internal code. You will have to return the code in raw form to be able to process it.. that is extremely dangerous as someone that tampers with the external file can easily gain access to the other site.

Posted: Tue Oct 04, 2005 8:01 pm
by mickd
im guessing this isnt the problem because you prolly just mistyped it here but your missing the semicolon ; at the end of echo $v1

Posted: Tue Oct 04, 2005 8:06 pm
by josh
Yeah, 'PHP injecton' (arbitrary execution of third party code) can be a serious security issue, but if the third party is on one of your own servers, the data could probably be safely trusted.

Posted: Tue Oct 04, 2005 9:48 pm
by tkarven
so if that external trustable, how can we do so? for example i just need to get affiliate's site member id in order to produce relavant results. so in the main site, i'll just use that for my sql, for example

Code: Select all

select * from member where member_id = $v1
Do coding this way exploit to any php injection dangerous? of course they can gain access to the main site using other's id easily but that's not main concern because these external pages is for information purpose only, e.g. display what products do each of these affiliates selling.

May be one of the way is through $_GET and url variable, but that's not a solution i'm lookin for.

Beside that, may be one other solution is encrypt these processing page and place them in the external host. So, what do your peoples recommend ?

*encryption is not preferred as we need to establish some database connection to the main host

Posted: Wed Oct 05, 2005 5:11 am
by Jenk
Just design the site so the members have to login on your site, else you are going to have a nightmare with security.

Posted: Wed Oct 05, 2005 6:11 am
by tkarven
yea that's true, but is it the only way? how about other affiliate websites out there?

we tried to do so simply because each of these affiliate website can promote their website on their own and at the same times products which are hosted at our server. If that's the case, we lose mass advantage for group and independent promoting

*security concerns even only that these external website only able to display these product's contents ? there's the only things we willing to let these external can do, just search and view products, nothing more than that.