Password protecting an include (PHP)

Associate
Joined
2 Aug 2005
Posts
680
Is it possible to host a page on my website, for example news.inc.php and password protect the file (using htaccess), but let people on other websites access this file as an include for example

<?php include 'http://mysite.com/news.inc.php';?>

Can I add something to the include to access the file using my htaccess username and password?

It sounds like a strange question but I basically want to be able to add a test to several peoples' websites and if I update the test in the future I want to be able to do it through this one file hosted on my site.

Thanks,
Dan
 
Associate
Joined
30 Dec 2005
Posts
415
Couldn't you just test where the page was being called from using PHP? Look up php $_SERVER[""] variables.

If it was a different domain to the one it is currently hosted on, echo the content, otherwise, prompt for a username and password.
 
Associate
OP
Joined
2 Aug 2005
Posts
680
That wouldn't really work because if the file was stored in a directory with htaccess the php script wouldn't get the chance to check for the host. Can you use an include on a file which is stored on a different server/host? And if so, can you run the include with a username and password if the file you are trying to include IS password protected?

Thanks mate,
 
Soldato
Joined
12 Apr 2004
Posts
11,788
Location
Somewhere
I think your best bet is to use FTP here. You can't include a file remotely (and even if you could, it would have to be accessed in such a way as to prevent its content from being parsed as PHP), so you'd have to obtain the file to include via FTP and then include it once it's been downloaded... seems a little inefficient though :confused:
 
Associate
OP
Joined
2 Aug 2005
Posts
680
What's happened is I have made a few assessment tools (tests with forms) for some customers. I have made them as include files like test.inc.htm and results.inc.php so when I add the files to my customer's website it takes the shape and style of their site using their CSS. The only problem is, if I update one of the tests I will have to change the include files on everyones site.

What I was thinking was is there a way to have these include files on my site instead, so when I update them it's effective on everyones site?

It looks like you can run includes from remote sites using HTTP:
http://uk.php.net/manual/en/function.include.php

The only trouble is, these could be accessed by anyone. I want to be able to password protect the include files on my site so only people who know the username and password can access them. Sorry it's all a bit long winded, hope it makes more sense :)
 
Associate
Joined
30 Dec 2005
Posts
415
If its only static code that needs to be included then the solution is easy enough. If its PHP, then it will be parsed before it reaches the remote server, and you'll have to come up with a different method such as FTP*.

* - A solution to this is a bit complicated but it could work... Each client site has a PHP script with a cron job set up. Once a day (or however often you like), the PHP script connects to the DATABASE on your server and downloads the latest HTML/PHP code which is stored in a string. This code is then updated on the client site by rewriting the file.
An alternative to using a database would be using the PHP FTP functions, which can automatically get files.
You don't want this to happen every time a user requests a page on a client website, so stick it in a cron job and make it update everyday.
 
Soldato
Joined
12 Apr 2004
Posts
11,788
Location
Somewhere
theMAD2 said:
It looks like you can run includes from remote sites using HTTP:
http://uk.php.net/manual/en/function.include.php
Aha, my bad :)

It's possible to explicitly restrict access to a file to certain IPs using an .htaccess file, as below:
Code:
<Files foo.php>
Order Deny,Allow
Allow From xxx.xxx.xxx.xxx
</Files>

However, you'd have to make sure that the file wasn't parsed by PHP on your server. Remember that as long as you're accessing it via HTTP, as far as your server is concerned, it's just another request from a client, and so the file will be processed as such. What you'd need to do is store it in such a way that it won't be processed as PHP (e.g. with a different extension), or put in in a directory that does not have execution privileges.
 
Caporegime
Joined
18 Oct 2002
Posts
29,490
Location
Back in East London
You can include using the HTTP wrapper, but it is finickity to say the least.

You will need to be so, so, so, so careful how you go about this as it is open to major malicious manipulation which could result in someone formatting your server or worse.
 
Associate
OP
Joined
2 Aug 2005
Posts
680
Executing external code is very dangerous.
True, but it's only external in technical terms, it's code that I control so it's not external to me.

As we're on the subject of security, is it safe to use a set of includes like:

red.inc.htm
orange.inc.htm
green.inc.htm
ect

and then call them up from a php script with this code
Code:
<?php include "$colour" . '.inc.htm';?>
using links like colour.php?colour=red

Is there a safer way to switch between includes using variables passed in the links?
 
Caporegime
Joined
18 Oct 2002
Posts
29,490
Location
Back in East London
NO!!

What if someone submitted the path/url to their site allowing them to run their own code on your system?

NEVER trust ANY input from external sources. Some even take this a step further and validate data inbetween application layers (part of the Defense In Depth process which is the current buzzword)

Without giving it much thought, the safest way is to server the file you want as an attachement, then to hash the attachment and verify it against a hard coded value. Even with that you will still need to be careful.
 
Last edited:
Associate
OP
Joined
2 Aug 2005
Posts
680
eek! ok, how about passing variables in the link (like above), but in the file with the include have something like this:

Code:
<?php
if ($colour == 'red') { include 'red.inc.htm'; }
else if ($colour == 'orange') { include 'orange.inc.htm'; }
else if ($colour == 'green') { include 'green.inc.htm'; }
else { print 'Sorry, please click your browsers back button'; }
?>

Thanks a lot for your help mate :)
 
Caporegime
Joined
18 Oct 2002
Posts
29,490
Location
Back in East London
That could work, or a switch () {} :)

Another way:
Code:
<?php

$files = array('red', 'blue', 'orange', 'green');

if ((isset($_GET['pid'])) && (array_key_exists($_GET['pid'], $files))) {
    include_once($files[$_GET['pid']] . '.inc.php');
} else {
    include_once('default.php');
}

?>
 
Associate
OP
Joined
2 Aug 2005
Posts
680
Thanks a lot for your help with this mate :)
Can I use this?
Code:
<?php include "$colour" . '.inc.htm';?>
if I have set the variable in the php file, so even if someone trys to add something like colours.php?colour=hijackcode it will be changed when the php code (which will change the variable) is parsed?
 
Back
Top Bottom