1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Password protecting an include (PHP)

Discussion in 'HTML, Graphics & Programming' started by theMAD2, 19 Jan 2006.

  1. theMAD2

    Hitman

    Joined: 2 Aug 2005

    Posts: 680

    Is it possible to host a page on my website, for example news.inc.php and password protect the file (using htaccess), but let people on other websites access this file as an include for example

    <?php include 'http://mysite.com/news.inc.php';?>

    Can I add something to the include to access the file using my htaccess username and password?

    It sounds like a strange question but I basically want to be able to add a test to several peoples' websites and if I update the test in the future I want to be able to do it through this one file hosted on my site.

    Thanks,
    Dan
     
  2. toastyman

    Gangster

    Joined: 30 Dec 2005

    Posts: 421

    Couldn't you just test where the page was being called from using PHP? Look up php $_SERVER[""] variables.

    If it was a different domain to the one it is currently hosted on, echo the content, otherwise, prompt for a username and password.
     
  3. theMAD2

    Hitman

    Joined: 2 Aug 2005

    Posts: 680

    That wouldn't really work because if the file was stored in a directory with htaccess the php script wouldn't get the chance to check for the host. Can you use an include on a file which is stored on a different server/host? And if so, can you run the include with a username and password if the file you are trying to include IS password protected?

    Thanks mate,
     
  4. Inquisitor

    Capodecina

    Joined: 12 Apr 2004

    Posts: 11,788

    Location: Birmingham

    I think your best bet is to use FTP here. You can't include a file remotely (and even if you could, it would have to be accessed in such a way as to prevent its content from being parsed as PHP), so you'd have to obtain the file to include via FTP and then include it once it's been downloaded... seems a little inefficient though :confused:
     
  5. theMAD2

    Hitman

    Joined: 2 Aug 2005

    Posts: 680

    What's happened is I have made a few assessment tools (tests with forms) for some customers. I have made them as include files like test.inc.htm and results.inc.php so when I add the files to my customer's website it takes the shape and style of their site using their CSS. The only problem is, if I update one of the tests I will have to change the include files on everyones site.

    What I was thinking was is there a way to have these include files on my site instead, so when I update them it's effective on everyones site?

    It looks like you can run includes from remote sites using HTTP:
    http://uk.php.net/manual/en/function.include.php

    The only trouble is, these could be accessed by anyone. I want to be able to password protect the include files on my site so only people who know the username and password can access them. Sorry it's all a bit long winded, hope it makes more sense :)
     
  6. toastyman

    Gangster

    Joined: 30 Dec 2005

    Posts: 421

    If its only static code that needs to be included then the solution is easy enough. If its PHP, then it will be parsed before it reaches the remote server, and you'll have to come up with a different method such as FTP*.

    * - A solution to this is a bit complicated but it could work... Each client site has a PHP script with a cron job set up. Once a day (or however often you like), the PHP script connects to the DATABASE on your server and downloads the latest HTML/PHP code which is stored in a string. This code is then updated on the client site by rewriting the file.
    An alternative to using a database would be using the PHP FTP functions, which can automatically get files.
    You don't want this to happen every time a user requests a page on a client website, so stick it in a cron job and make it update everyday.
     
  7. Inquisitor

    Capodecina

    Joined: 12 Apr 2004

    Posts: 11,788

    Location: Birmingham

    Aha, my bad :)

    It's possible to explicitly restrict access to a file to certain IPs using an .htaccess file, as below:
    Code:
    <Files foo.php>
    Order Deny,Allow
    Allow From xxx.xxx.xxx.xxx
    </Files>
    
    However, you'd have to make sure that the file wasn't parsed by PHP on your server. Remember that as long as you're accessing it via HTTP, as far as your server is concerned, it's just another request from a client, and so the file will be processed as such. What you'd need to do is store it in such a way that it won't be processed as PHP (e.g. with a different extension), or put in in a directory that does not have execution privileges.
     
  8. Dj_Jestar

    Caporegime

    Joined: 18 Oct 2002

    Posts: 28,818

    Location: Back in East London

    You can include using the HTTP wrapper, but it is finickity to say the least.

    You will need to be so, so, so, so careful how you go about this as it is open to major malicious manipulation which could result in someone formatting your server or worse.
     
  9. Inquisitor

    Capodecina

    Joined: 12 Apr 2004

    Posts: 11,788

    Location: Birmingham

    Agreed ^

    Executing external code is very dangerous.
     
  10. theMAD2

    Hitman

    Joined: 2 Aug 2005

    Posts: 680

    True, but it's only external in technical terms, it's code that I control so it's not external to me.

    As we're on the subject of security, is it safe to use a set of includes like:

    red.inc.htm
    orange.inc.htm
    green.inc.htm
    ect

    and then call them up from a php script with this code
    Code:
    <?php include "$colour" . '.inc.htm';?>
    
    using links like colour.php?colour=red

    Is there a safer way to switch between includes using variables passed in the links?
     
  11. Dj_Jestar

    Caporegime

    Joined: 18 Oct 2002

    Posts: 28,818

    Location: Back in East London

    NO!!

    What if someone submitted the path/url to their site allowing them to run their own code on your system?

    NEVER trust ANY input from external sources. Some even take this a step further and validate data inbetween application layers (part of the Defense In Depth process which is the current buzzword)

    Without giving it much thought, the safest way is to server the file you want as an attachement, then to hash the attachment and verify it against a hard coded value. Even with that you will still need to be careful.
     
    Last edited: 19 Jan 2006
  12. theMAD2

    Hitman

    Joined: 2 Aug 2005

    Posts: 680

    eek! ok, how about passing variables in the link (like above), but in the file with the include have something like this:

    Code:
    <?php
    if ($colour == 'red') { include 'red.inc.htm'; }
    else if ($colour == 'orange') { include 'orange.inc.htm'; }
    else if ($colour == 'green') { include 'green.inc.htm'; }
    else { print 'Sorry, please click your browsers back button'; }
    ?>
    
    Thanks a lot for your help mate :)
     
  13. Dj_Jestar

    Caporegime

    Joined: 18 Oct 2002

    Posts: 28,818

    Location: Back in East London

    That could work, or a switch () {} :)

    Another way:
    Code:
    <?php
    
    $files = array('red', 'blue', 'orange', 'green');
    
    if ((isset($_GET['pid'])) && (array_key_exists($_GET['pid'], $files))) {
        include_once($files[$_GET['pid']] . '.inc.php');
    } else {
        include_once('default.php');
    }
    
    ?>
     
  14. theMAD2

    Hitman

    Joined: 2 Aug 2005

    Posts: 680

    Thanks a lot for your help with this mate :)
    Can I use this?
    Code:
    <?php include "$colour" . '.inc.htm';?>
    if I have set the variable in the php file, so even if someone trys to add something like colours.php?colour=hijackcode it will be changed when the php code (which will change the variable) is parsed?