Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


PHP remote secure data

Posted on 2014-04-15
Medium Priority
Last Modified: 2014-04-16
I have a public website hosted with a vendor that allows for easy management and updates. It runs through ssl and is password protected to get to it.  However, I need to post some "sensitive" information to it (it's really trying to be an intranet site) to it but I don't want to store this data ON that server.
What I would like to do is add a DIV region and either call a remote web page from a secured data server or pull the data on demand from the remote server via PHP and/or cURL.  

I know just enough to be dangerous here so please be kind.

Can you point me in a direction to either hide the url I'm calling in the code on the public hosted server to get the page from the "hidden" server
point me in the direction of learning a better design for retrieving sensitive data?
Question by:davebird
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
LVL 59

Assisted Solution

by:Julian Hansen
Julian Hansen earned 1000 total points
ID: 40002118
If your hosting provider supports it you could simply use file_get_contents (http://www.php.net/manual/en/function.file-get-contents.php)

<?php echo file_get_contents('http://my.secret.server.com/my/secret/content.html');?>

Open in new window

If this does not work it is probably because it has been disabled in the php.ini file - if you are able to change the allow_url_fopen (http://php.net/manual/en/filesystem.configuration.php) parameter in the php.ini then you can also do that.

If that does not work then cUrl is the next option.

This can be done with the following function (from here http://www.php.net/manual/en/curl.examples.php)
function get_page($url)
        // create curl resource
        $ch = curl_init();

        // set url
        curl_setopt($ch, CURLOPT_URL, $url);

        //return the transfer as a string
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

        // $output contains the output string
        $output = curl_exec($ch);

        // close curl resource to free up system resources
        return $output;
<?php echo get_page('http://my.secret.server.com/my/secret/content.html');?>

Open in new window


Author Comment

ID: 40002138
Thank you.  That's awesome and should work. My "beginner" question is:
If the public hosted site gets hacked, the source line of
?php echo file_get_contents('http://my.secret.server.com/my/secret/content.html') is visible and then easily accessible by opening a browser and going there.  
How do I tell PHP where to go get it such that someone who "got" the code can't go there?
Promise, that's my last concern.
And Thank you for the code.
LVL 111

Expert Comment

by:Ray Paseur
ID: 40002892
Ask yourself: "What is the information you're trying to protect?"  If it's bowling scores, medical records, financial data or nuclear launch codes the processes are different.  If your process publishes the sensitive data on a web page, the data has been released into the wild and you no longer have control over where it goes.  If your process simply uses the data in a way that yields a different web page, and simultaneously prevents a web site visitor from discerning what the underlying data contains, you have a gentleman's chance of keeping your secrets.

Maybe with a little more exposition and some examples we could give you a stronger answer.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Author Comment

ID: 40002908
Happy to share.  I need to send confidential information to share between people in a firm. I need to have online banking type security. They want to be able to have their browsers or mobile device open and be able to refresh while out in the field for new or urgent requests. The site already has an SSL certificate, but I can't store the data on the public site.  I want to pull it from a remote server. But I can't wrap my head around a way to connect to the remote server from the public host without plain text in the php file revealing where the server/data URL) is.
LVL 59

Assisted Solution

by:Julian Hansen
Julian Hansen earned 1000 total points
ID: 40003290
If you don't want the location to be in the open in the PHP files then you can look at putting code on the private server that only allows requests from the public server's IP.

In other words
$public_ip = '';
if ($_SERVER['REMOTE_ADDR'] != $public_ip) {

Open in new window

LVL 111

Accepted Solution

Ray Paseur earned 1000 total points
ID: 40003792
Executive summary: If you can't secure your PHP scripts against unwanted exposure you have a major security problem.  You might want to get involved in OWASP or read the PHP Security manual.

Let's go back to this...
If the public hosted site gets hacked, the source is visible and then easily accessible by opening a browser and going there.  How do I tell PHP where to go get it such that someone who "got" the code can't go there?
That does not have to be true.  Here are some of the ways to prevent direct browser access or obscure the information in ways that would make it harder to attack.

1. Place the sensitive data outside of the WWW root directory.  This would require a server-side script to access the sensitive data and deliver the sensitive data to the client.  You can build some protections into that server-side script.

2. Test the HTTP_REFERER value.  While it is true that this and all other components of the request can be spoofed, it's unlikely that a casual observer will know whether / how to spoof the value.

3. Set an authentication signal in the PHP session. (The success of this strategy will depend on your URLs and the way you start the session).

4. Encode the PHP scripts with something like IONCube.

Ultimately, PHP security is like a fire safe.  A safe is rated for temperature and time until the contents are incinerated.  Your PHP security measures will withstand some kinds of attacks for some period of time, but eventually, if the attacker is resourceful, determined and technically savvy, they can be broken.  You need to plan for that eventuality even as you try to minimize the risk.

Author Closing Comment

ID: 40003941
While almost every question I ask out here is answered to some degree, the respondents on this question were spot on and direct. Thank you!
LVL 111

Expert Comment

by:Ray Paseur
ID: 40004027
Thanks for the points and thanks for using EE, ~Ray

Featured Post

Tech or Treat! - Giveaway

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Computer science students often experience many of the same frustrations when going through their engineering courses. This article presents seven tips I found useful when completing a bachelors and masters degree in computing which I believe may he…
There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
The viewer will receive an overview of the basics of CSS showing inline styles. In the head tags set up your style tags: (CODE) Reference the nav tag and set your properties.: (CODE) Set the reference for the UL element and styles for it to ensu…
The viewer will the learn the benefit of plain text editors and code an HTML5 based template for use in further tutorials.
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question