views:

79

answers:

3

So, if this question has been asked before, I'm sorry. I'm not exactly sure what to search for.

Introduction:

All the domains I maintain now are hosted on my server, so I have not ran into this problem yet.

I have created a structure, similar to WordPress, for uploading and editing images.

I regularly create changes in the functions and upload them to a single folder. When the user logs in, the contents are automatically downloaded into their folder.

What I am wanting to do:

Now, say I have a user that is not hosted on my server. I cannot use copy(), but is there a safe and secure way to echo the contents of each php file (obviously, I can echo) into another file on the users server?

For example:

Currently I can copy from jasonleodurbin.com to geodun.com (same server), but say I want to copy jasonleodurbin.com/test.php to somedomain.com/test.php.

I had some thoughts like give each user a private key and send that to a file like echo.php. echo.php will grab the contents of every file (that has been modified recently) and echo that to the screen. The requesting server would take that content and copy that into it's respective .php file.

I assume I could send the key through GET, but since I have never dabbled into the security implications of anything (I am a hobbyist), I don't know how secure this is.

Are there any suggestions or directions that someone could send me?

I appreciate the help!

A: 

I'm assuming this is sensitive data. If that's the case, then I would suggest encrypting the file using PGP keys. Either way, you need a method to send the file from your server to their server. I can't recall how I did it, but I used to send encrypted data file from our remote server to a server in house. We used PGP keys to encrypt and decrypt once it arrived in house. As for the method we used to send the file across the web, I believe we used SCP (you need shell access on the server).

You could use FTP, but how about setting it up so that they only have access to a particular directory so they can't touch anything else. You'll need a script to grab the file from the FTP location and storing it in the appropriate directory per user?

Just thought of something, store the file in a protected folder. Have the user download the file using curl. I believe you can specify username/password with curl.

luckytaxi
But then they'd have to know my username and password to my server. That seems pretty risky on my part.
Jason
@Jason That's why you create a FTP user with limited permissions
NullUserException
Then what happens if I want to deny that user permissions (i.e. they haven't paid in months)? I can't do it without having access to their server.
Jason
You remove their account from the server.
luckytaxi
I like the curl, it was what I was looking for. I'm not sure If I will fully implement what you said, but I'll look into it.
Jason
A: 

Several options:

Upload the newest version of test.php as test.phps (PHP Source file, will be displayed instead of run) in a location know to the client. It is then up to them to download this file and install it on their web server. pros: not much effort required on your part, no keys or encryption required. cons: everyone can view the contents of your PHP file if they know where to look, no guarantee that clients will actually get updated versions of the file.

Copy the file to clients web server. Use scp, ftp, or some such method to update test.php on the clients web server whenever you change it. pros: file will always be updated. Reasonably secure if you use scp cons: extra step required for you, you will have to remember to do this each time you change test.php. You will need to have access to the clients web server for this to work

Automated copy at a timed interval. Set up a cron script that syncs test.php to the clients web server at a certain time each hour/day/week/whatever pros: Not much repeated effort required on the part of either party. Reasonably secure if you use scp cons: could break if something changes and you're not emailing when an error occurs. You will still also need access to the clients machine for this to work.

There's probably a lot more different ways to do this as well, but this is just a few to get you started

Dave
I like the idea, but I am trying to stick away from requiring access to their server. In terms of deciding what needs to be updated, I figure I could use something like alot APIs do. Send a request to a file, then look at the output (i.e. newest version). If the versions don't match, ask what has been modified since last update (I already do this). Then request the contents of these files. All that seems easy, but it's the security aspect I am worried about. I don't care much about complexity.
Jason
A: 

Use a version control system, such as subversion. Just check in your code to the repository each time you make some changes you want to push, and run an update from the clients. If you're already using a version control system, create a production-branch where you commit your changes when they're ready to be pushed to clients.

It can be done from the clients in pure php (slightly experimental) with library from here or here, with a PHP extension, or with a wrapper to the native svn client.

This gives you security, as each user can have their own password, which you can retract if you so please. Can also do encryption by running through a ssh tunnel (limits your library choices to the wrapper I think), but really, wouldn't worry too much about encryption, who's going to be looking at the traffic between the servers? Unless you're doing top secret type stuff.

It also gives you automatic change detection, you don't have to roll your own way of keeping track of which files are updated as this is done when you commit your new changes.

It's a proven way of doing code bases up to date, so I don't see why you would implement your own. It also gives you the extra advantage of being able to roll back changes if (when) there's a problem with the code update.

Alexander Sagen