Jump to content

Remotely Accessing Php Functions & Classes


Recommended Posts

Hi Everyone,

I wanted to know if there is anyway to define classes and functions on one site and then have multiple other sites connect. I want to do this so that I can encrypt information on these other sites with a class that I have made on another site.


I tried require but the remote script executes and then returns the result - it doesn't allow me to access or use the functions. If you have any ideas/suggestions/solutions I'm open to them but it looks like I'm going to need to reevaluate how I'm going to do this.


Thanks for reading!

Link to comment
Share on other sites

You would have to offer the files up in a format where they don't get parsed by your server, such as a .txt file.


The entire idea is a bit pointless though.  Since the decryption script has to be readable for it to be executed, someone could always just download it and run it on their own rather than contact your site all the time.  They could also have it just go through and decrypt everything then save a copy of the decrypted source.

Link to comment
Share on other sites

A .txt file is readable for humans as well though if they type in the url into their browser. I want both the encryption and decryption functions on the remote server so that no one from other servers knows the encryption key. Any ideas?


Since the decryption script has to be readable for it to be executed, someone could always just download it and run it on their own rather than contact your site all the time. They could also have it just go through and decrypt everything then save a copy of the decrypted source.

I see what you mean, thats why I thought I'd have to go back to the drawing board.

Link to comment
Share on other sites

Obfuscating your code is stupid and pointless. Here's why:

  1. It's called vendor lock-in. You may think this is great, but it isn't, because:
    • It assumes you will ALWAYS have the time to do so, which leaves your client hanging with zero options when you don't
    • It also assumes you NEVER go out of business, because if you do, they will have to hire another guy to do the entire thing over again
    • Clients are getting smarter (speaking for Belgium here) they ask about your use of open-source software, they know about vendor lock-in, they ask for you to hand over the code to them or they won't hire you, etc..
    • It's a headache to debug (works on your server, not the clients.. what do you do?), or even to make it work, since you are asking about it on this forum


In overall it's a bad move for your company because when your client figures out you locked him in, and trust me he's going to get that very fast when he hires someone else to do one of your works (yup your clients do that stuff) and he tells him he can't because you obfuscated your code and the other developer won't fail to mention vendor lock-in and what that means, and your client is going to jailbreak, hire the other developer and tell their friends, family, other business owners, and who not, about your company doing such an evil thing as vendor lock-in and that they shouldn't hire you. He'll Tweet it, Facebook it, and.. you are screwed..


But then again KevinM1 wants you to do vendor lock-in, because apparently his entire business is based upon to clean up after bad developers.

Edited by ignace
Link to comment
Share on other sites

I wasnt planning on Obfuscating my code - heres what I want to do:

For every product that goes out, I want the user to need to register their license key with my mysql database. Im not going to put my mysql database names, username and password aswell as queries in the script they can see so I wanted to send the license key through the $_GET part of the url and then from that run my code then send a result. However I want this license key encrypted so I am using the mcrypt_encrypt & mcrypt_decrypt functions however I dont want people to be able to see the encryption key I am using. So I want to have those encryption functions on my key management server and have the remote script call to a script on the server which encrypts the key, then sends it through the header('Location: https://www.website.com/?'.$encryptedlicensekey); which I then decrypt and send back a true or false according to whether the license key is valid.


Theres more to it than that but I dont want to make it too complex. As I said I wasn't planning on Obfuscating my code; only sending through the encrypted license key entered which is encrypted with a encryption key that is in a function on my remote server.


Hope this helps to help you guys solve the problem. Thanks for all the replies and help so far.


Link to comment
Share on other sites

Then I have completely misunderstood waht you wanted, sorry.


What you want is like what Gizmola said but with OAuth or something similar. OAuth is used to 'sign' a request, which allows you to verify the signature on your server and only send back data when the signature matches.


Here's a simple example without using OAuth (I highly recommend you use OAuth though):


$consumerKey = 'foobar';    // in a database on the server
$consumerSecret = 'bazbat'; // in a database on the server

$requestVariables = array(
  'nickLike' => 'ign%',
  'orderBy'  => 'name',
  'key'      => $consumerKey, // used to identify this consumer on the server

$request  = '/users/find?' . http_build_query($requestVariables);
$request .= '&signature=' . md5($consumerSecret . $consumerKey . $request);

$contents = file_get_contents('http://yourhost.url' . $request);


On your server you then get the signature off the request (url without &signature=) calculate the signature (like in the above code) and verify if they equal.


However this is a very simple example because anyone who has this URL can query your server for as long as you allow which is why I advise you to use OAuth.

Edited by ignace
Link to comment
Share on other sites

True OAuth might be a bit much - it involves a three-step authentication process. An API key and a request signature should be fine; the key is sent in the clear but a private "password" is used with some information about the request (like the URL and date) to create a hash. It verifies the request hasn't been tampered with.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.