0

Why doesn't this work?

// File hosted on `example.com`
// db-con.php
<?php
  define("DB_HOST" , "host");
  define("DB_NAME" , "name");
  define("DB_USER" , "user");
  define("DB_PASS" , "pass");

-

// File hosted on `another-example.com`
// index.php
<?php
  include 'http://example.com/db-con.php';
  echo DB_HOST;

-

// output
Notice: Use of undefined constant DB_HOST - assumed 'DB_HOST' in C:\Users\Alex\Dropbox\Shared\Web\htdocs\BASE_TEMPLATE\index.php on line 14

Surely by including the external file, the php is run, and the constants are defined?

Improve this question

1 Answer 1

Reset to default
3

You are not including the file as you see it, but instead including the response of the remote web server when that file is requested.

That is, the remote web server sees a request for db-con.php, loads it up, executes the code (defining constants in its own local process) and returns the output to you (which is probably empty, as the code does not echo anything). Therefore the end result is the same as if you had included an empty file.

Update: dug up the reference from the manual:

If "URL fopen wrappers" are enabled in PHP (which they are in the default configuration), you can specify the file to be included using a URL (via HTTP or other supported wrapper - see Supported Protocols and Wrappers for a list of protocols) instead of a local pathname. If the target server interprets the target file as PHP code, variables may be passed to the included file using a URL request string as used with HTTP GET. This is not strictly speaking the same thing as including the file and having it inherit the parent file's variable scope; the script is actually being run on the remote server and the result is then being included into the local script.

So how to do it?

Well, including code from a remote server is something you shouldn't really think of doing (although there are ways to make it happen, it's a really bad idea). In any case you won't be able to do it without the explicit cooperation of the remote server (otherwise anyone could include anyone else's configuration file and use get_defined_constants to get the passwords). And if you do it, anyone else would be able to follow the same steps and get hold of your passwords. You don't want that to happen.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

that makes so much sense!!! i feel slightly stupid... How do i run the code then?
@AlexMorley-Finch: You don't. If you could, anyone else could do the same and see your passwords.
@AlexMorley-Finch: Not unless the remote server is willing to expose the source to the whole world. In which case put everything in a text file and eval it.
Thanks for clearing this up, I'll take your advice and not implement this, it makes sense. Thank you :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.