Reputation: 1526
Can a PHP script be included outside my file system?
I have a PHP script called constants.php, in there I have a lot of valuable data, like my MySQL information, etc.
Is it possible to access that script outside my machine? Lets say, using the following: include http://www.fakewebsite.com/config/constants.php
Upvotes: 1
Views: 124
Answers (4)
Reputation: 14222
If the URL is publically accessible, then yes, anyone can read it from the URL, including scripts.
However the key part here is that they will access the output of constants.php, not the file itself. They'll get exactly the same output as you would if you accessed the file from a web browser.
What they cannot do is include your actual PHP code by calling the URL. The URL is not a direct connection to the PHP file; it's a connection to the web server. The web server then processes the PHP file and provides the output. As long as the web server is processing the PHP file before sending the output, then your PHP code is safe. It can't be seen via the URL.
There may be other ways of getting at it, but not that way.
Upvotes: 1
Reputation: 146540
Let's read the docs:
If "URL fopen wrappers" are enabled in PHP (which they are in the default configuration), you can specify the file to be included using a URL (via HTTP or other supported wrapper - see Supported Protocols and Wrappers for a list of protocols) instead of a local pathname. If the target server interprets the target file as PHP code, variables may be passed to the included file using a URL request string as used with HTTP GET. This is not strictly speaking the same thing as including the file and having it inherit the parent file's variable scope; the script is actually being run on the remote server and the result is then being included into the local script.
So you can actually load external files (if your admin allows you to). However, is it going to be useful in your case? Open http://www.fakewebsite.com/config/constants.php in your web browser and open the "View Source" menu. Whatever you see there, it's what your PHP script will see (most likely, a blank page).
Last but not least... Supposing that the remote server is configured to not execute *.php files or contains a PHP script that generates PHP code, why would you want to post all that valuable and sensitive data to the Internet?
Upvotes: 2
Reputation: 3904
Well, yes and no.
Yes: They will be able to access the output of the file constants.php (however most likely it will be blank).
No: They won't be able to access your variables. You can only access these before PHP has been parsed.
Upvotes: 2
Reputation: 3558
Yes, so long as you have access to the script, you can include it within your own scripts.
Upvotes: 0
Related Questions
- Storing script files outside web root
- Can another site use my PHP script externally?
- PHP Arbitrary File Inclusion
- How to give a PHP file its own execution space, denying it access to any other files outside of its directory?
- Fool a PHP file to thinking it is alone in it directory
- What's the safest method to access a php file thats outside the root directory?
- How do I dynamically include a PHP script?
- Better security of PHP by keeping include files outside the public folder?
- placing php script outside website root
- how to restrict PHP script with file system access?