Jump to content

Recommended Posts

I'm stuck at trying to figure out out to complete the 3 Step scripts to accomplish passing $variables between 2 different servers.  Since there will actually be 12 Non-POST $variables involved in the SERVER #1 to SERVER #2 transfer , it doesn't appear that trying to put these all in a URL string and going the 'GET' route is practical. 

 

I'm just using 3 short test variables in the examples.  My eyeballs started rolling within I ran across something about 'CURL' that might be a necessary part of the solution?

 

The code I have been able to hammer out so far is below as STEP 1, STEP 2 and STEP 3. 

 

STEP 1

<?php

// submit.php 

// STEP 1

// On (LOCAL) SERVER #1 TO relay $variables to 'process.php' on (REMOTE) SERVER #2

// To submit $variables to directly another destination server script
// NOTE: The $variable are NOT the result of Form Input !!!

// For login Authenticaion ALL 3 must match db entries on SERVER #2 
// NOTE: (Again) The $variables are NOT the result of Form Input !!! 

$userid = "adam";
$passwd = "eve";
$pscode = "peterpan";

// NOTE: (Again) The $variable are NOT the result of Form Input !!! 
// These $variables are needed for MySQL db INSERT on the destination URL server
// For testing simplicity (actual data will be 12 $variables)

$a = "apple";
$b = "banana";
$u = "1234567;

//
// Not sure if something called 'CURL' is needed here ???
//

$submit_to_url = http://www.blahblah.com/process.php";

?>

STEP 2

<?php

// processor.php

// STEP 2

// ON SERVER #2 TO RECEIVE DATA DIRECTLY FROM SERVER #1 'submit.php'

// To receive and process the $variables into a MySQL db on SERVER #2
// NOTE: The $variables are NOT the result of Form Input !!!

// First validate $userid, $passwd & $pscode against `verify` table MySQL records

require '/SERVER_2_securelocation_for_database_connection/secret_mysqli.php';

if (mysqli_connect_errno()) {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

//
// Not sure if something called 'CURL' is needed here ???
//

// These login $variables are from submit.php on SERVER #1

$userid 
$passwd 
$pscode

$sql="SELECT `userid`, `passwd`, `pscode` FROM `verify` 
WHERE `userid` = '$userid'" AND `passwd` = '$passwd` AND `pscode` = '$pscode';

$result = mysqli_query($con,$sql);

if (!mysqli_query($con,$sql)) {
  die('Error: ' . mysqli_error($con));
}

//
// Then some Authentication code if ALL 3 components match
//

// If Authentication = true then $passed = "YES" must sent
// be sent back to the 'finalstep.php' script on SERVER #1
// If Authentication (or connection) = false ... $passed = "NO" 

$return_to_url = http://www.blahblah.com/finalstep.php";

// These $variables are from submit.php on SERVER #1

$a = "apple";
$b = "banana";
$u = "1234567";

$sql="INSERT INTO `data` (`a`, `b`, `u`) 
VALUES ('$a', '$b', '$u')"; 

if (!mysqli_query($con,$sql)) {
  die('Error: ' . mysqli_error($con));
}

// If $SQL INSERT into `data` on SERVER #2 works ...
// $status = "Pending" must be sent back to the 'finalstep.php' 
// script on SERVER #1 for MySQL db Table insertion
// If $SQL INSERT into `data` = false, then $status = "Error"
// NOTE: The '$u' $variable also needs send back to finalstep.php !!!

$return_to_url = http://www.blahblah.com/finalstep.php";

mysqli_close($con);

?>

STEP 3

<?php

// finalstep.php 

// STEP 3

// ON SERVER #1 TO RECEIVE DATA DIRECTLY BACK FROM SERVER #2 process.php

// To receive the $passed, $status and $u $variables for final step action
// NOTE: The $variable are NOT the result of Form Input !!!

require '/SERVER_1_securelocation_for_database_connection/secret_mysqli.php';

if (mysqli_connect_errno()) {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

// These $variables are from process.php on SERVER #2

$passed
$status
$u

$sql="UPDATE `tracking` 
SET `passed` = '$passed',
    `status` = '$status' 
WHERE `uniqueid` = '$u' ";

$result = mysqli_query($con,$sql);

if (!mysqli_query($con,$sql)) {
  die('Error: ' . mysqli_error($con));
}

mysqli_close($con);

?>


Thanks very much for any assistance and guidance.

 

-freakingOUT

 

Do you realize that all of your scripts are wide open to SQL injection attacks? That you're printing all MySQL errors with all sensitive information directly on the screen? That you don't have any checks to make sure that the scripts can indeed only be executed by your servers?

 

Besides that, the whole setup with those raw PHP scripts waiting to be executed by somebody is ... not good. When you want two servers to communicate, you need an API: a well-defined interface with specific functionalities, specific responses, authentication and proper(!) error handling.

 

It's much easier than it may sound. For example:

  • Use JSON-RPC to call remote functions and exchange data in a proper way. There are several PHP libraries which make it very easy to set up a client and a server (they also handle the cURL stuff for you).
  • Generate a random password (e. g. 16 bytes read from /dev/urandom) and have the client send it with each request. Then store a hash of the password (SHA-256 is enough) on the server and use it to authenticate the client.
  • You should use HTTPS between the servers.

Agreed, you need to wrap these in an API.  You'll be posting a document (usually XML or JSON) from one server to another, and the recipient will validate the object, extract the information, process it, and respond with another XML document, potentially also kicking off its own remote calls.  It's complex, but then again you're attempting to make 3 web servers work in concert.

 

Jacques' standard rant about security also applies if these scripts will actually be exposed to the internet at large.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.