Constants are not "populated" when including a PHP file from remote server

Question

I have the folowing issue: I got a PHP file (standards.php) with statements like these:

define('CONSTVAR', '/path/');

Now, I have another file called untitled.php, containing this:

include ('standards.php');
echo CONSTVAR;

This will result in a page saying /path/, the value of the constant.

It's good so far.

But when I put the standards.php on another one of my websites and try to include it from there (using the include('http://mysite.eu/core/standards.php'); command), it doesn't work. The constant remain empty, and I also get the following error

Warning: main(http://mysite.eu/core/standards.php) [function.main]: failed to open stream: Permission denied in /home/www/this.nl/core/untitled.php on line 28

Warning: main() [function.include]: Failed opening 'http://mysite.eu/core/standards.php' for inclusion (include_path='.:/usr/local/php4/lib/php') in /home/www/this.nl/core/untitled.php on line 28

allow_url_include is enabled and allow_url_fopen too. When I type the full URL of the standards.php into my browser, I get a page result, so it's not an issue of not having access rights, right?

What could be the issue here? Why is the constant, which is supposed to be global, not "inherited" when including from a remote server?

Answer 1

Allow_url_include is enabled and allow_url_fopen too. When I type the full url of the standards.php into my browser, I get a page result, so its not an issue of not having access rights, right?

allow_url_fopen and allow_url_include can only be set in php.ini or httpd.conf. It is the local server that is preventing the file from being included, which is different to typing the URL into the browser.

Why is the constant, which is supposed to be global, not "inherited" when including from a remote server?

Even if the external include worked, it won't work as expected. Includes over HTTP are different to standard includes.

You are including the output of the included file. The External PHP file is processed at the external server before being included.

It would certainly be a security vulnerability if external PHP files could be read verbatim in this way.

Answer 2

function cthulhu_include($url)
{
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

    $code = curl_exec($ch);

    eval($code);

    curl_close($ch);
}

Delivering. Also make sure that you have for example .txt (plain text) file instead of .php (processed plain text) (because you will get blank output), that way everyone can see your code in the process, too.

Answer 3

You cannot usually include PHP files from remote hosts over the HTTP wrapper because when your PHP parser requests the include, it either fails to find the file (include is used to include files from the local filesystem with absolute or relative paths), or the remote webserver sends it not the source code, but a parsed PHP file like it would send to a browser. And include takes source code.

For further information, taken from the manual entry of include():

Warning. SECURITY WARNING:

Remote file may be processed at the remote server (depending on the file extension and the fact if the remote server runs PHP or not) but it still has to produce a valid PHP script because it will be processed at the local server. If the file from the remote server should be processed there and outputted only, readfile() is much better function to use. Otherwise, special care should be taken to secure the remote script to produce a valid and desired code.

Answer 4

It is not usually advisable to use external includes.

They do not usually work well (or at all).

So don't use external includes.