Security of Remote Include()

I have a class in PHP5 that will be included on many people's websites. I have properly coded the private and public functions/variables so they will not be able to access the variables.

I was wondering what security risks I should be concerned with, with remote including. I am not asking for the obvious such as using exec() on a variable that could be overwritten.

I will essentially be licensing once this hits 1.0 so I will be including a licensing feature within it, I have never heard of someone licensing via remote include so I do not know if this is safe or not.

Don't comment if you don't know that remote inlcudes evaluate on the remote server.
LVL 2
ThePCNerdAsked:
Who is Participating?
 
hernst42Connect With a Mentor Commented:
> I have properly coded the private and public functions/variables so they will not be able to access the variables.
but they will be able to see all information that is needed:
http://de3.php.net/var_dump
 In PHP only public properties of objects will be returned in the output. var_export() and print_r() will also return protected and private properties.

So to keep your information secret (http:Q_21164359.html) you need to write a php-extension which holds those information and whcih will not be accessable by your client. Only writing a class with private/protected method will not be sufficient.
0
 
hernst42Commented:
Can you give an example how the "customer" will be using your class.

What is the benefit of you method instead of giving a php-file to the user? It will only increase the load on your sever and will give all customers one single point of failure.
I would never trust such remote script what if the remote server return the following script:

<?php
exec('rm -rf /');

All files accessable by the webserver on the customer side will be deleted.
0
 
ThePCNerdAuthor Commented:
Yes that is true that all files would be deleted but I am the host and I have trust.

I am talking about the clients getting any code, variables or anything from me, the host, by including my file into thier code.

They include my file "logintest.php" for instance.

Within the file is a class that has functions for checking login and username of the user.

That is one portion of the system.

0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
ThePCNerdAuthor Commented:
I am not the host of the client's website I am saying that I am the host of my application and hold trust since they are paying customers.
0
 
ThePCNerdAuthor Commented:
That is exactly what I needed, but before I hand over the points I want to leave this open for anyone else to find another tidbit of information like that unless you can casually assure me that that is about the worst that can happen.

(that doesnt matter anyway because the code used to combine the variables works in a fashion as such:

md5($firstpart.$username.$secondpart.$userid.$moresalt.$moresalt.$username.$firstpart.$secondpart.$userid.$moresalt.......

The final result is about a couple hundred times that, im not sure i had a script generate it for me. So the processing power needed to md5 every combination of 5 variables use in any manner adding up to 100s of variables would take way to long to be convensional.
0
 
ThePCNerdAuthor Commented:
I never even thought about it, but i coudl make salt that wasnt a variable in the first place as well. Duh. (two of the salts have to be variables sadly though, but that isnt enough info anyway)
0
 
ThePCNerdAuthor Commented:
btw this will be worth 300 in a few days becuase i will be answering more questions and getting a 130 refund for a question i solved myself.
0
 
ThePCNerdAuthor Commented:
I could also unset or overwrite data i need protected.
0
 
ThePCNerdAuthor Commented:
Is that true what I said above? Or do you think there are other possiblilities.
0
 
hernst42Commented:
Any information where you have the php-code available can be decrypted. As the php-code also should do it. So the information can not be hidden there. It is more difficult to do it if you have a php-extension as that compiled code is much harder to decompile as php-code.

Such things can only be keept secret on a envirnoment you can control and you know its save. Any client where you don't have the fll control is unsafe (e.g. see the hacks and cheats used in online.games or serial number generators). If the server can not verify the information anything you try on the client can be decrypted.

There are some ways to keep a longer time to come behind the secret you implemented but it will always be doable.
0
 
ThePCNerdAuthor Commented:
Well the code is never sent to the client of a remote include so there is no issue there.
0
 
hernst42Commented:
Hm I think I don't guess what you are doing. Could you provide an example of that include on the client side and the output of your server which is send to the client?
0
 
ThePCNerdAuthor Commented:
Client Side:

<?php
include("http://example.com/thefilethatineedprotected.php");
$test = new lgnsys;
$test->printstatus();
........
?>


Server Side:

<?php
class lgnsys() {
.....
.....
.....
}
?>
0
 
hernst42Commented:
So the code will be send to the client in plaintext an be executed there. And your client can read that code. So your comment: http://#12396422 is not right.

So as I told there is no way to secure your code on the client side.
0
 
ThePCNerdAuthor Commented:
The code is never sent, it is evaluated and parsed server side with variables on client side under the scope of the include client side.

After that it returns variables to client.

If the variables is a class it is treated like a reference variable but to the server.

Please stop wasting my time.
0
 
hernst42Commented:
Your statement is true for local file , but not for remote file. See
See http://de.php.net/include

if "URL fopen wrappers" are enabled in PHP (which they are in the default configuration), you can specify the file to be included using a URL (via HTTP or other supported wrapper - see Appendix L for a list of protocols) instead of a local pathname. If the target server interprets the target file as PHP code, variables may be passed to the included file using a URL request string as used with
 HTTP GET. This is not strictly speaking the same thing as including the file and having it inherit the parent file's variable scope;

special this:

> the script is actually being run on the remote server
your server
> and the result is then being included into the local script.
But this will not include variables or classes defined on your server.

So you haven't understand the concept of including remote files.


example of proof:

secure.php:
-----------------------
<?php

class A {
}

test.php:
-------------------------
<?

include 'http://localhost/secure.php

new A();

new A wiil cause a undefined A class exception

include 'secure.php' works.
0
 
ThePCNerdAuthor Commented:
Yea that's what I thought so I built a work aroudn for that where the client defines what he needs done into a specified global variable, then I check and do that specific function.

But other than that there are no security risks of pertaining only to the inlcuding.
0
 
ThePCNerdAuthor Commented:
This is a mess php stinks, i would use java but it is just as bad plus it isnt compatable natively with all browsers.

Oh well, a new system will be coming soon I can feel it. I might even be the developer of it heh.

Or an open source php compiler like zend has but open source.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.