tags:

views:

105

answers:

4
+1  Q: 

PHP: Any logical use cases for include/requiring remote source files?

http://www.php.net/manual/en/features.remote-files.php

The only time I could ever think of doing include("http://someotherserver/foo.php") would be as some sort of weird intra-server service interface, but even then I could think of a million different ways that were safer to accomplish the same thing. Still, my specific question is, has anyone seen remote includes in a production environment and did it make any sense doing so?

Edit: To clear something up, I would cause physical injury to befall anyone who ever tried to use remote includes in a production environment I worked on... So yes I know this is a nightmarish security hole. Just trying to figure out why its still there versus other weird ideas like magic quotes and global variables.

+1  A: 

Remote file execution is extremely dangerous... I've never used it on my servers, and I can't imagine a valid reason to put your, ahem, balls into the basket that someone else controls. That's just asking to be hacked.

Alex  2009-09-28 22:58:47
But have you ever seen it used by anyone?
David  2009-09-28 23:09:09
Even if the code was on another server *you* controlled, anything over the public internet is a little crazy. Maybe more than a little.
Tim Lytle  2009-09-29 01:24:19
A: 

No, I didn't. It's going to the bear's mouth.

Daniel S  2009-09-28 23:21:13
+2  A: 

While I've never seen this in real life, I could imagine a farm with separate physical servers with no shared file system. You could possibly have one server with the all the code ie api.domain.com and the other servers include from it. It would make deployments easier if you have tens or hundreds of sepearate sites. But as alex said, it's asking to be hacked.

Byron Whitlock  2009-09-28 23:30:48
I didn't think of that and your idea sounds like one of the only sane reasons to use remote includes.
David  2009-09-29 00:39:43
This is something I've thought of (but actually implementing this would be way to risky for me).
Tim Lytle  2009-09-29 01:23:11
A: 

I suppose the possiblity to include/require remote files is a consequence of allow_url_fopen -- which was introduced in PHP 4.0.x.

Though, considering the security risks of remote-inclusion, a new directive, allow_url_include was introduced in PHP 5.2 : now, this one determines whether you can remote include/require, while the first ones only impacts fopen and the like -- which is nice : it allows an admin to disable remote inclusion, while keeping remote opening.

As others, I didn't ever see remote-require/include used in real-case scenario, while I, of course, often see situations where remote-opening is used -- bad thing is I sometimes see servers with allow_url_fopen disabled because of security reasons that don't exist anymore :-(

Pascal MARTIN  2009-09-29 04:15:34

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases