0

I'm simply attempting to execute remote PHP code locally.

To put it simply, I have an external script hosted on xxx.com/code.txt - and then want to have my internal system load that code in PHP. I tried using file_get_contents() but I don't think this is the right method of doing so.

I also tried using include(), but it seems that most PHP configurations have the http wrapper disabled. So in that case, how can I, using PHP check to see if the server has allow_url_include enabled or not because my script relies on loading the external code, or at least having a if function to check if allow_url_include is enabled or not.

Improve this question
6
  • PHP is executed remotely. If you're including it via your browser remotely you're just getting its output. Commented Jun 21, 2014 at 14:49
  • 1
    Well, usually you get your remote, hold the device button down (tv, cable, sat), have the code handy, until the power button blinks three times, then punch in the cod- Oh, you mean programming code. Commented Jun 21, 2014 at 14:49
  • 1
    include($url) is equivalent to eval(file_get_contents($url)), assuming you have at least allow_url_fopen enabled. It's also a really bad idea, and you should restructure your code to transmit data rather than PHP code if you have even half a chance. Commented Jun 21, 2014 at 14:52
  • 1
    Are you trying to achieve code injection with PHP? Do not do it. owasp.org/index.php/Code_Injection Commented Jun 21, 2014 at 14:52
  • okay @IMSoP I know it is a bad idea to allow_url_fopen and I don't want to do this actually. Is there anything else that can be handy for this? I mean validating the code with signatures on the client side before execution. Commented Dec 27, 2018 at 9:20

2 Answers 2

Reset to default
2

Try this function

function get_data($url)
{
   $ch = curl_init();
   $timeout = 5;
   curl_setopt($ch,CURLOPT_URL,$url);
   curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
   curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);
   $data = curl_exec($ch);
   echo $data;
   curl_close($ch);
 return $data;
}

You can call this function like this

$response = get_data('http://yoursite.com/code.txt');
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

To kinda safely import code you could:

  • make a php script which requires a hash (big big big hash) and put it on the server you want to connect to.
  • You can then @file_get_contents() that php file with the hash in the url
  • That script accepts the hash, imports a file (whichever you want) and returns it.

But as they all said, if it's PHP you want to execute think twice.

And if this does not convince you at least don't do it plain text but encrypt it or something (SSL is something, but blowfish with a two sided key would be better) and an allowed IP system.

The point is that you want to control the gateways, not make it open to all.

Improve this answer

4 Comments

You seem to be concentrating on not serving code to untrusted clients (although just making the URL long and hard to guess by adding a hash is a pretty poor way to do that), but the much much bigger problem is not executing code from an untrusted source.
You are right. But I was under the impression that he at least controlled both sides which nulls that statement in my answer. Non the less, you are right like I stated in the answer "if it's PHP you want to execute think twice". So yeah.
Yep, its PHP and that's why I am here to get your valuable help :) Okay, I am thinking to create private and public keys and pass it upon the code include, after verifying the keys, the code will execute on client side else ignore it.
If you're dead set on doing it, you should at least create a sandbox. I don't exactly how to do it, but Symphony (and thus Laravel) has a nice one.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.