Cross-server communication with PHP

[zachwlewis]

I'm developing a web-comic tool that allows users to run a small script on their servers that pings my website with information regarding comic updates and news.

 

Whenever they update, I want their server to send a message to my server so I can store the comic's name, number and image URL.

 

What is the best way to do this? I'm concerned about security, so I don't want to accept any blind GETs or anything like that. Can I do this in PHP, or will I need to look into employing some sort of JavaScript trickery to get everything flowing smoothly? Finally, how should I start this script so I can test my way through things (I've never done something like this before)?

[mssever]

Do you want this script to run on the server side or the browser side? I'm assuming that you want the server side, because you said that you want it to run when the user updates their site, not when someone views the site. The simplest way would be to insert in their update script an HTTP GET request to your script.

 

The GET method really isn't any less secure than POST and it's simpler to implement. You always need to validate everything that comes from an outside source--whether it's from GET data or POST data. You'll need to require some sort of valid credentials (such as a username/password, or as simple as an ID number, depending on your needs) so that you can identify the source. Depending on how your script is called, you might also want to check the Referer header. Remember, though, that any data that comes from an outside source can be forged.

 

This should probably be a combination of two scripts. The first script is the backend script that you run on your server. It should be written in a server-side language such as PHP and a request to its URL will cause the script to run and do its thing. That request will contain all the necessary input either in the URL's query string or as post data. A separate script will be run by the other server. You'll have to choose the language by what you can persuade the other servers' administrators to install. That script will gather the requisite information and request the URL provided by the first script.

 

Hope this helps.

[zachwlewis]

One script runs on the client's server, but the main script runs from my server when it gets sent information from the client's script.

 

I was thinking that it shouldn't be too hard, all I would have to do would be to somehow open a connection from their site to mine. I was reading that many scripts like this open a 0px x 0px iframe that connects to the website.

 

As for user validation, instead of requiring a username and password in the URL, I could have the user enter their URL into the site, then the server just checks to see that the traffic comes from that domain. Is that a possibility?

[nikefido]

Could you come up with an xml/RSS feed solution for this?

[zachwlewis]

Could you come up with an xml/RSS feed solution for this?

 

Like, have the client comics publish an RSS that my server reads from?

 

[mssever]

I was thinking that it shouldn't be too hard, all I would have to do would be to somehow open a connection from their site to mine. I was reading that many scripts like this open a 0px x 0px iframe that connects to the website.

This won't work if you want the script to run when the other person updates stuff on their server, since it will call your script every time someone VISITS your site. If that's what you want, great--although I would recommend a 1x1 transparent GIF instead of an IFRAME.

 

If you want to be notified when the other server is updated, you'll need to come up with some method that the other server can call your script. You can easily accomplish it by having the other server request a certain URL (with curl, for example) which triggers your script. If you want to go the RSS route, then your server would periodically poll the RSS feed looking for updates. In that situation, the other server wouldn't need to do anything except publish an RSS feed--provided that the feed contains all required information.

 

As for user validation, instead of requiring a username and password in the URL, I could have the user enter their URL into the site, then the server just checks to see that the traffic comes from that domain. Is that a possibility?

If you want to be sure to get notified, your script will need to run without user interaction. Otherwise, someone will forget or get lazy. There are a number of validation schemes that you could come up with. If the script is purely server-side, than submitting a unique identifier might be sufficient. The server could do reverse DNS lookups if you want (but that won't work so well for virtual hosts that share an IP address), but there's a limit to how much you can practically harden the script. The Referer header is fairly reliable for browser traffic, but someone who's determined to do so can forge it.

[zachwlewis]

I was thinking that it shouldn't be too hard, all I would have to do would be to somehow open a connection from their site to mine. I was reading that many scripts like this open a 0px x 0px iframe that connects to the website.

This won't work if you want the script to run when the other person updates stuff on their server, since it will call your script every time someone VISITS your site. If that's what you want, great--although I would recommend a 1x1 transparent GIF instead of an IFRAME.

 

That would be part of the update script. It would trigger once each time the user updates the comic (posts a new one, deletes one, etc.)

 

I'm actually beginning to wonder if an XML solution would work. Like, dynamically create an XML file with all the users comics. Then, all the ping script does is trigger a script on my server to scan their XML file for changes and update the database accordingly. Does that sound viable?