Remotely Accessing Php Functions & Classes

[timothyarden]

Hi Everyone,

I wanted to know if there is anyway to define classes and functions on one site and then have multiple other sites connect. I want to do this so that I can encrypt information on these other sites with a class that I have made on another site.

 

I tried require but the remote script executes and then returns the result - it doesn't allow me to access or use the functions. If you have any ideas/suggestions/solutions I'm open to them but it looks like I'm going to need to reevaluate how I'm going to do this.

 

Thanks for reading!

[kicken]

You would have to offer the files up in a format where they don't get parsed by your server, such as a .txt file.

 

The entire idea is a bit pointless though.  Since the decryption script has to be readable for it to be executed, someone could always just download it and run it on their own rather than contact your site all the time.  They could also have it just go through and decrypt everything then save a copy of the decrypted source.

[timothyarden]

A .txt file is readable for humans as well though if they type in the url into their browser. I want both the encryption and decryption functions on the remote server so that no one from other servers knows the encryption key. Any ideas?

 

Since the decryption script has to be readable for it to be executed, someone could always just download it and run it on their own rather than contact your site all the time. They could also have it just go through and decrypt everything then save a copy of the decrypted source.

I see what you mean, thats why I thought I'd have to go back to the drawing board.

[gizmola]

There are RESTful API's, xml-rpc and SOAP among other technologies, that in general people call web services.  In essence they are the solution to your requirement.  

[timothyarden]

Thanks for the idea. Searched around and I assume this is what you were talking about http://www.w3schools.com/soap/default.asp using XML. Surely there would be a simpler way inside of php?

[ignace]

Obfuscating your code is stupid and pointless. Here's why:

1. It's called vendor lock-in. You may think this is great, but it isn't, because:
   
   • It assumes you will ALWAYS have the time to do so, which leaves your client hanging with zero options when you don't
     
   • It also assumes you NEVER go out of business, because if you do, they will have to hire another guy to do the entire thing over again
     
   • Clients are getting smarter (speaking for Belgium here) they ask about your use of open-source software, they know about vendor lock-in, they ask for you to hand over the code to them or they won't hire you, etc..
     
   • It's a headache to debug (works on your server, not the clients.. what do you do?), or even to make it work, since you are asking about it on this forum
     

 

In overall it's a bad move for your company because when your client figures out you locked him in, and trust me he's going to get that very fast when he hires someone else to do one of your works (yup your clients do that stuff) and he tells him he can't because you obfuscated your code and the other developer won't fail to mention vendor lock-in and what that means, and your client is going to jailbreak, hire the other developer and tell their friends, family, other business owners, and who not, about your company doing such an evil thing as vendor lock-in and that they shouldn't hire you. He'll Tweet it, Facebook it, and.. you are screwed..

 

But then again KevinM1 wants you to do vendor lock-in, because apparently his entire business is based upon to clean up after bad developers.

Edited December 30, 2012 by ignace

[timothyarden]

I wasnt planning on Obfuscating my code - heres what I want to do:

For every product that goes out, I want the user to need to register their license key with my mysql database. Im not going to put my mysql database names, username and password aswell as queries in the script they can see so I wanted to send the license key through the $_GET part of the url and then from that run my code then send a result. However I want this license key encrypted so I am using the mcrypt_encrypt & mcrypt_decrypt functions however I dont want people to be able to see the encryption key I am using. So I want to have those encryption functions on my key management server and have the remote script call to a script on the server which encrypts the key, then sends it through the header('Location: https://www.website.com/?'.$encryptedlicensekey); which I then decrypt and send back a true or false according to whether the license key is valid.

 

Theres more to it than that but I dont want to make it too complex. As I said I wasn't planning on Obfuscating my code; only sending through the encrypted license key entered which is encrypted with a encryption key that is in a function on my remote server.

 

Hope this helps to help you guys solve the problem. Thanks for all the replies and help so far.

Timothy

[ignace]

Then I have completely misunderstood waht you wanted, sorry.

 

What you want is like what Gizmola said but with OAuth or something similar. OAuth is used to 'sign' a request, which allows you to verify the signature on your server and only send back data when the signature matches.

 

Here's a simple example without using OAuth (I highly recommend you use OAuth though):

 

$consumerKey = 'foobar';    // in a database on the server
$consumerSecret = 'bazbat'; // in a database on the server

$requestVariables = array(
  'nickLike' => 'ign%',
  'orderBy'  => 'name',
  'key'      => $consumerKey, // used to identify this consumer on the server
);

$request  = '/users/find?' . http_build_query($requestVariables);
$request .= '&signature=' . md5($consumerSecret . $consumerKey . $request);

$contents = file_get_contents('http://yourhost.url' . $request);

 

On your server you then get the signature off the request (url without &signature=) calculate the signature (like in the above code) and verify if they equal.

 

However this is a very simple example because anyone who has this URL can query your server for as long as you allow which is why I advise you to use OAuth.

Edited December 30, 2012 by ignace

[timothyarden]

The thing is though, I want one key which every client who installs my software uses to send me their encrypted product/license key but I don't want them to know what it is for security reasons. I'll have a look at OAuth & thanks for your help.

 

Timothy

[requinix]

True OAuth might be a bit much - it involves a three-step authentication process. An API key and a request signature should be fine; the key is sent in the clear but a private "password" is used with some information about the request (like the URL and date) to create a hash. It verifies the request hasn't been tampered with.