Solved

PHP remote secure data

Posted on 2014-04-15
8
489 Views
Last Modified: 2014-04-16
I have a public website hosted with a vendor that allows for easy management and updates. It runs through ssl and is password protected to get to it.  However, I need to post some "sensitive" information to it (it's really trying to be an intranet site) to it but I don't want to store this data ON that server.
What I would like to do is add a DIV region and either call a remote web page from a secured data server or pull the data on demand from the remote server via PHP and/or cURL.  

I know just enough to be dangerous here so please be kind.

Can you point me in a direction to either hide the url I'm calling in the code on the public hosted server to get the page from the "hidden" server
or
point me in the direction of learning a better design for retrieving sensitive data?
0
Comment
Question by:davebird
  • 3
  • 3
  • 2
8 Comments
 
LVL 55

Assisted Solution

by:Julian Hansen
Julian Hansen earned 250 total points
ID: 40002118
If your hosting provider supports it you could simply use file_get_contents (http://www.php.net/manual/en/function.file-get-contents.php)

<div>
<?php echo file_get_contents('http://my.secret.server.com/my/secret/content.html');?>
</div>

Open in new window

If this does not work it is probably because it has been disabled in the php.ini file - if you are able to change the allow_url_fopen (http://php.net/manual/en/filesystem.configuration.php) parameter in the php.ini then you can also do that.

If that does not work then cUrl is the next option.

This can be done with the following function (from here http://www.php.net/manual/en/curl.examples.php)
<?php
function get_page($url)
{
        // create curl resource
        $ch = curl_init();

        // set url
        curl_setopt($ch, CURLOPT_URL, $url);

        //return the transfer as a string
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

        // $output contains the output string
        $output = curl_exec($ch);

        // close curl resource to free up system resources
        curl_close($ch);     
        return $output;
}
?>
<div>
<?php echo get_page('http://my.secret.server.com/my/secret/content.html');?>
</div>

Open in new window

0
 

Author Comment

by:davebird
ID: 40002138
Thank you.  That's awesome and should work. My "beginner" question is:
If the public hosted site gets hacked, the source line of
?php echo file_get_contents('http://my.secret.server.com/my/secret/content.html') is visible and then easily accessible by opening a browser and going there.  
How do I tell PHP where to go get it such that someone who "got" the code can't go there?
Promise, that's my last concern.
And Thank you for the code.
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 40002892
Ask yourself: "What is the information you're trying to protect?"  If it's bowling scores, medical records, financial data or nuclear launch codes the processes are different.  If your process publishes the sensitive data on a web page, the data has been released into the wild and you no longer have control over where it goes.  If your process simply uses the data in a way that yields a different web page, and simultaneously prevents a web site visitor from discerning what the underlying data contains, you have a gentleman's chance of keeping your secrets.

Maybe with a little more exposition and some examples we could give you a stronger answer.
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 

Author Comment

by:davebird
ID: 40002908
Happy to share.  I need to send confidential information to share between people in a firm. I need to have online banking type security. They want to be able to have their browsers or mobile device open and be able to refresh while out in the field for new or urgent requests. The site already has an SSL certificate, but I can't store the data on the public site.  I want to pull it from a remote server. But I can't wrap my head around a way to connect to the remote server from the public host without plain text in the php file revealing where the server/data URL) is.
0
 
LVL 55

Assisted Solution

by:Julian Hansen
Julian Hansen earned 250 total points
ID: 40003290
If you don't want the location to be in the open in the PHP files then you can look at putting code on the private server that only allows requests from the public server's IP.

In other words
$public_ip = '10.10.10.76';
if ($_SERVER['REMOTE_ADDR'] != $public_ip) {
   die('RESTRICTED ACCESS');
}

Open in new window

0
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 250 total points
ID: 40003792
Executive summary: If you can't secure your PHP scripts against unwanted exposure you have a major security problem.  You might want to get involved in OWASP or read the PHP Security manual.

Let's go back to this...
If the public hosted site gets hacked, the source is visible and then easily accessible by opening a browser and going there.  How do I tell PHP where to go get it such that someone who "got" the code can't go there?
That does not have to be true.  Here are some of the ways to prevent direct browser access or obscure the information in ways that would make it harder to attack.

1. Place the sensitive data outside of the WWW root directory.  This would require a server-side script to access the sensitive data and deliver the sensitive data to the client.  You can build some protections into that server-side script.

2. Test the HTTP_REFERER value.  While it is true that this and all other components of the request can be spoofed, it's unlikely that a casual observer will know whether / how to spoof the value.

3. Set an authentication signal in the PHP session. (The success of this strategy will depend on your URLs and the way you start the session).

4. Encode the PHP scripts with something like IONCube.

Ultimately, PHP security is like a fire safe.  A safe is rated for temperature and time until the contents are incinerated.  Your PHP security measures will withstand some kinds of attacks for some period of time, but eventually, if the attacker is resourceful, determined and technically savvy, they can be broken.  You need to plan for that eventuality even as you try to minimize the risk.
0
 

Author Closing Comment

by:davebird
ID: 40003941
While almost every question I ask out here is answered to some degree, the respondents on this question were spot on and direct. Thank you!
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 40004027
Thanks for the points and thanks for using EE, ~Ray
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface This is the third article about the EE Collaborative Login Project. A Better Website Login System (http://www.experts-exchange.com/A_2902.html) introduces the Login System and shows how to implement a login page. The EE Collaborative Logi…
Although it can be difficult to imagine, someday your child will have a career of his or her own. He or she will likely start a family, buy a home and start having their own children. So, while being a kid is still extremely important, it’s also …
The viewer will receive an overview of the basics of CSS showing inline styles. In the head tags set up your style tags: (CODE) Reference the nav tag and set your properties.: (CODE) Set the reference for the UL element and styles for it to ensu…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question