[SOLVED] file_get_contents - issues with remote files

[gregsmith]

Hi there,

 

I'm currently a complete newb to remote file access (although not a newb to php). 

 

I started by trying just a standard include to the remote file I'm after but the server won't let me do this.  I also gather it's very insecure.

 

I came across the file_get_contents() function and it seems to work pretty well like:

 

echo file_get_contents("file.php");

 

I am, however, having trouble with mysql access.  The system I'm developing currently opens the database connection before the file is included so any sql in the included file is executed on the correct database.  Now that I'm using file_get_contents, this doesn't seem to work - I get an 'Warning: mysql_query() [function.mysql-query]: Access denied for user...' error.

 

Can anyone help me out with what might be going on?  Also any tips on how you do remote access would be great.

[monk.e.boy]

http://uk.php.net/curl

 

I didn't understand the mysql access bit 

 

monk.e.boy

[gregsmith]

curl seems like a good thing to learn - however this system will likely be installed on many different servers, so I would rather stick to just PHP so I don't have to ask for curl to be installed.

 

To try and clarify:  The 'echo file_get_contents(included_file.php)'; seems to work as a fine substitute to include 'included_file.php'; apart from any sql that's in that file doesn't work.  The mysql connection script is executed before the file is included.

 

Any more help?

[monk.e.boy]

post your code.  ;) ;D

 

monk.e.boy

[gregsmith]

Thanks for the replies - I'm going to try cURL as you suggested.  I just hope it's installed on most servers and there's a way to execute mysql statements locally after the file has been 'got'

[ToonMariner]

Make sure you are running php4.3 or higher (file_get contents is not supported prior to that).

 

Also amke sure that the file is being made avialable to you - the other server may block requests for it based on how you try to retrieve that file...

[monk.e.boy]

what? so you "get" the file (what like ftp?) then you include_once this new file and then execute it?

 

Mad.

 

monk.e.boy

[gregsmith]

by 'got' I mean got the contents.

 

All I know is that the page works when I was using include 'file.php' and now it doesn't when I try and include it remotely using 'echo file_get_contents('file.php')'.  I'm just trying to include code from a remote location rather than a local location.  This is so I can use the same include files in a number of different installations of the same system so I don't have to keep updating 10's of local copies.

 

What's so 'Mad' about that?

 

When I was using include, the php code seemed to be executed AFTER it was included.  Now that I'm using the other methods (just tried cURL), it seems to be executed BEFORE the include.

[monk.e.boy]

Well, say you have login.php on a remote server in the USA and you include it from a server in Japan. When a user tries to log into your site in Japan, this server will try to include_once( 'file_from_USA' ) which may take 30 seconds, or time out.

 

And you'll copy it over every time someone tries to log, 100s of times a day. And the file you are copying 100s of times a day doesn't change for 2 months = 100 a day x 30 a month x 2 months = 6,000 times this file is copied over the internet.

 

Like I said. Mad. But don't let me put you off your project.  ;D

 

monk.e.boy

[gregsmith]

Well, you're not going to put me off because you've arrogantly assumed that you know the usage level and future of my project.  Oh well, as long as you sound clever and knowledgeable I guess that's all that matters.

 

In the meantime does anyone who actually has knowledge and experience of remote include methods care to grace me with their help please?

[gregsmith]

OK, I've just discovered from a similar post on a similar forum that what I'm trying to do is not possible.

 

When using 'include', 'file_get_contents()' or 'cURL' you cannot include code itself.  The remote server holding the file will always parse as php and send the result rather than including the php code, unlike if it was being included from a local resource.  This is why the mySQL in my code wasn't working.

 

This does of course make sense from a security point of view.  I thought there might be some secure way round it but apparently not.

 

I'll have to use a build tracking process and installation procedure instead I guess.

 

Cheers,

 

Greg

[monk.e.boy]

Oh well, as long as you sound clever and knowledgeable I guess that's all that matters.

 

Oh, man.

 

Do I feel bad now.

 

I was right and you were wrong. I thought what you were doing was a bit mad  ;D

 

Actually you could do what you want, just download the php file using CURL, then save it to a readable directory and then include it.

 

I can not see why that won't work. I do it all the time with normal web pages, I download them, then regex through them looking for stuff.

 

Anyone? Why wouldn't this work?

 

monk.e.boy

[gregsmith]

Oh well, as long as you sound clever and knowledgeable I guess that's all that matters.

 

Oh, man.

 

Do I feel bad now.

 

I was right and you were wrong. I thought what you were doing was a bit mad  ;D

 

I still don't think what I was doing was mad as I would still consider it under certain circumstances using a method such as the one you mentioned, however I was a unnecessarily sarcastic.  You caught me in a bad mood 

You're method seems spot on and I can't see why it wouldn't work.  Another (although super insecure) method is to rename the php includes as .inc (or whatever) files.  This obviously opens up the code to anybody so is pretty dumb.  However, I can think of a few scenarios where this method may be appropriate.

[monk.e.boy]

How about:

 

// make ftp connection
$conn_id = ftp_connect($ftp_server); 
// login with username and password
$login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass); 
ftp_get($conn_id, $local_file, $server_file, FTP_TEXT));

check date+time of php file (or open the file and read a version number, this could be in a comment string at the top of the file)

is it newer than our local version?
{
  move file to includes folder
}

include_once 'file.php';

 

Try that, I'm sure it should work.

 

You could shove all this into a function called include_once_remote() and use that instead of include_once.

 

Please take the time to try this and tell us if it works 

 

cheers,

 

monk.e.boy

[gregsmith]

I've been suggested another method that is a bit simpler on another forum:

 

Rename all included files to .inc (or whatever is suitable) and put them in a specific folder.

Protect the folder with htaccess requiring user authentication.

Using curl you can retrieve the file by passing the correct user authentication login information.

 

Can you see any security issues with this method?  Sounds like the best suggestion so far.

[monk.e.boy]

Try it.

 

Can you post your code here (minus the passwords  ) later please?

 

Sounds completely mad interesting  ;D

 

monk.e.boy

[gregsmith]

I'm putting this part of the project on hold as I've just run into a host of new problems with it that I just don't have time to sort out.  I think both methods will work though.

 

If I readdress it at a later date, I'll post my results.  Until then remote access won't be part of my system - build management and remote update installs will take it's place.