Solved

PHP remote secure data

Posted on 2014-04-15
8
475 Views
Last Modified: 2014-04-16
I have a public website hosted with a vendor that allows for easy management and updates. It runs through ssl and is password protected to get to it.  However, I need to post some "sensitive" information to it (it's really trying to be an intranet site) to it but I don't want to store this data ON that server.
What I would like to do is add a DIV region and either call a remote web page from a secured data server or pull the data on demand from the remote server via PHP and/or cURL.  

I know just enough to be dangerous here so please be kind.

Can you point me in a direction to either hide the url I'm calling in the code on the public hosted server to get the page from the "hidden" server
or
point me in the direction of learning a better design for retrieving sensitive data?
0
Comment
Question by:davebird
  • 3
  • 3
  • 2
8 Comments
 
LVL 51

Assisted Solution

by:Julian Hansen
Julian Hansen earned 250 total points
Comment Utility
If your hosting provider supports it you could simply use file_get_contents (http://www.php.net/manual/en/function.file-get-contents.php)

<div>
<?php echo file_get_contents('http://my.secret.server.com/my/secret/content.html');?>
</div>

Open in new window

If this does not work it is probably because it has been disabled in the php.ini file - if you are able to change the allow_url_fopen (http://php.net/manual/en/filesystem.configuration.php) parameter in the php.ini then you can also do that.

If that does not work then cUrl is the next option.

This can be done with the following function (from here http://www.php.net/manual/en/curl.examples.php)
<?php
function get_page($url)
{
        // create curl resource
        $ch = curl_init();

        // set url
        curl_setopt($ch, CURLOPT_URL, $url);

        //return the transfer as a string
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

        // $output contains the output string
        $output = curl_exec($ch);

        // close curl resource to free up system resources
        curl_close($ch);     
        return $output;
}
?>
<div>
<?php echo get_page('http://my.secret.server.com/my/secret/content.html');?>
</div>

Open in new window

0
 

Author Comment

by:davebird
Comment Utility
Thank you.  That's awesome and should work. My "beginner" question is:
If the public hosted site gets hacked, the source line of
?php echo file_get_contents('http://my.secret.server.com/my/secret/content.html') is visible and then easily accessible by opening a browser and going there.  
How do I tell PHP where to go get it such that someone who "got" the code can't go there?
Promise, that's my last concern.
And Thank you for the code.
0
 
LVL 108

Expert Comment

by:Ray Paseur
Comment Utility
Ask yourself: "What is the information you're trying to protect?"  If it's bowling scores, medical records, financial data or nuclear launch codes the processes are different.  If your process publishes the sensitive data on a web page, the data has been released into the wild and you no longer have control over where it goes.  If your process simply uses the data in a way that yields a different web page, and simultaneously prevents a web site visitor from discerning what the underlying data contains, you have a gentleman's chance of keeping your secrets.

Maybe with a little more exposition and some examples we could give you a stronger answer.
0
 

Author Comment

by:davebird
Comment Utility
Happy to share.  I need to send confidential information to share between people in a firm. I need to have online banking type security. They want to be able to have their browsers or mobile device open and be able to refresh while out in the field for new or urgent requests. The site already has an SSL certificate, but I can't store the data on the public site.  I want to pull it from a remote server. But I can't wrap my head around a way to connect to the remote server from the public host without plain text in the php file revealing where the server/data URL) is.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 51

Assisted Solution

by:Julian Hansen
Julian Hansen earned 250 total points
Comment Utility
If you don't want the location to be in the open in the PHP files then you can look at putting code on the private server that only allows requests from the public server's IP.

In other words
$public_ip = '10.10.10.76';
if ($_SERVER['REMOTE_ADDR'] != $public_ip) {
   die('RESTRICTED ACCESS');
}

Open in new window

0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 250 total points
Comment Utility
Executive summary: If you can't secure your PHP scripts against unwanted exposure you have a major security problem.  You might want to get involved in OWASP or read the PHP Security manual.

Let's go back to this...
If the public hosted site gets hacked, the source is visible and then easily accessible by opening a browser and going there.  How do I tell PHP where to go get it such that someone who "got" the code can't go there?
That does not have to be true.  Here are some of the ways to prevent direct browser access or obscure the information in ways that would make it harder to attack.

1. Place the sensitive data outside of the WWW root directory.  This would require a server-side script to access the sensitive data and deliver the sensitive data to the client.  You can build some protections into that server-side script.

2. Test the HTTP_REFERER value.  While it is true that this and all other components of the request can be spoofed, it's unlikely that a casual observer will know whether / how to spoof the value.

3. Set an authentication signal in the PHP session. (The success of this strategy will depend on your URLs and the way you start the session).

4. Encode the PHP scripts with something like IONCube.

Ultimately, PHP security is like a fire safe.  A safe is rated for temperature and time until the contents are incinerated.  Your PHP security measures will withstand some kinds of attacks for some period of time, but eventually, if the attacker is resourceful, determined and technically savvy, they can be broken.  You need to plan for that eventuality even as you try to minimize the risk.
0
 

Author Closing Comment

by:davebird
Comment Utility
While almost every question I ask out here is answered to some degree, the respondents on this question were spot on and direct. Thank you!
0
 
LVL 108

Expert Comment

by:Ray Paseur
Comment Utility
Thanks for the points and thanks for using EE, ~Ray
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

JavaScript has plenty of pieces of code people often just copy/paste from somewhere but never quite fully understand. Self-Executing functions are just one good example that I'll try to demystify here.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now