Solved

PHP remote secure data

Posted on 2014-04-15
8
494 Views
Last Modified: 2014-04-16
I have a public website hosted with a vendor that allows for easy management and updates. It runs through ssl and is password protected to get to it.  However, I need to post some "sensitive" information to it (it's really trying to be an intranet site) to it but I don't want to store this data ON that server.
What I would like to do is add a DIV region and either call a remote web page from a secured data server or pull the data on demand from the remote server via PHP and/or cURL.  

I know just enough to be dangerous here so please be kind.

Can you point me in a direction to either hide the url I'm calling in the code on the public hosted server to get the page from the "hidden" server
or
point me in the direction of learning a better design for retrieving sensitive data?
0
Comment
Question by:davebird
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 57

Assisted Solution

by:Julian Hansen
Julian Hansen earned 250 total points
ID: 40002118
If your hosting provider supports it you could simply use file_get_contents (http://www.php.net/manual/en/function.file-get-contents.php)

<div>
<?php echo file_get_contents('http://my.secret.server.com/my/secret/content.html');?>
</div>

Open in new window

If this does not work it is probably because it has been disabled in the php.ini file - if you are able to change the allow_url_fopen (http://php.net/manual/en/filesystem.configuration.php) parameter in the php.ini then you can also do that.

If that does not work then cUrl is the next option.

This can be done with the following function (from here http://www.php.net/manual/en/curl.examples.php)
<?php
function get_page($url)
{
        // create curl resource
        $ch = curl_init();

        // set url
        curl_setopt($ch, CURLOPT_URL, $url);

        //return the transfer as a string
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

        // $output contains the output string
        $output = curl_exec($ch);

        // close curl resource to free up system resources
        curl_close($ch);     
        return $output;
}
?>
<div>
<?php echo get_page('http://my.secret.server.com/my/secret/content.html');?>
</div>

Open in new window

0
 

Author Comment

by:davebird
ID: 40002138
Thank you.  That's awesome and should work. My "beginner" question is:
If the public hosted site gets hacked, the source line of
?php echo file_get_contents('http://my.secret.server.com/my/secret/content.html') is visible and then easily accessible by opening a browser and going there.  
How do I tell PHP where to go get it such that someone who "got" the code can't go there?
Promise, that's my last concern.
And Thank you for the code.
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 40002892
Ask yourself: "What is the information you're trying to protect?"  If it's bowling scores, medical records, financial data or nuclear launch codes the processes are different.  If your process publishes the sensitive data on a web page, the data has been released into the wild and you no longer have control over where it goes.  If your process simply uses the data in a way that yields a different web page, and simultaneously prevents a web site visitor from discerning what the underlying data contains, you have a gentleman's chance of keeping your secrets.

Maybe with a little more exposition and some examples we could give you a stronger answer.
0
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

 

Author Comment

by:davebird
ID: 40002908
Happy to share.  I need to send confidential information to share between people in a firm. I need to have online banking type security. They want to be able to have their browsers or mobile device open and be able to refresh while out in the field for new or urgent requests. The site already has an SSL certificate, but I can't store the data on the public site.  I want to pull it from a remote server. But I can't wrap my head around a way to connect to the remote server from the public host without plain text in the php file revealing where the server/data URL) is.
0
 
LVL 57

Assisted Solution

by:Julian Hansen
Julian Hansen earned 250 total points
ID: 40003290
If you don't want the location to be in the open in the PHP files then you can look at putting code on the private server that only allows requests from the public server's IP.

In other words
$public_ip = '10.10.10.76';
if ($_SERVER['REMOTE_ADDR'] != $public_ip) {
   die('RESTRICTED ACCESS');
}

Open in new window

0
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 250 total points
ID: 40003792
Executive summary: If you can't secure your PHP scripts against unwanted exposure you have a major security problem.  You might want to get involved in OWASP or read the PHP Security manual.

Let's go back to this...
If the public hosted site gets hacked, the source is visible and then easily accessible by opening a browser and going there.  How do I tell PHP where to go get it such that someone who "got" the code can't go there?
That does not have to be true.  Here are some of the ways to prevent direct browser access or obscure the information in ways that would make it harder to attack.

1. Place the sensitive data outside of the WWW root directory.  This would require a server-side script to access the sensitive data and deliver the sensitive data to the client.  You can build some protections into that server-side script.

2. Test the HTTP_REFERER value.  While it is true that this and all other components of the request can be spoofed, it's unlikely that a casual observer will know whether / how to spoof the value.

3. Set an authentication signal in the PHP session. (The success of this strategy will depend on your URLs and the way you start the session).

4. Encode the PHP scripts with something like IONCube.

Ultimately, PHP security is like a fire safe.  A safe is rated for temperature and time until the contents are incinerated.  Your PHP security measures will withstand some kinds of attacks for some period of time, but eventually, if the attacker is resourceful, determined and technically savvy, they can be broken.  You need to plan for that eventuality even as you try to minimize the risk.
0
 

Author Closing Comment

by:davebird
ID: 40003941
While almost every question I ask out here is answered to some degree, the respondents on this question were spot on and direct. Thank you!
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 40004027
Thanks for the points and thanks for using EE, ~Ray
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, the web development industry is booming, and many people consider it to be their vocation. The question you may be asking yourself is – how do I become a web developer?
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Viewers will learn how to properly install Eclipse with the necessary JDK, and will take a look at an introductory Java program. Download Eclipse installation zip file: Extract files from zip file: Download and install JDK 8: Open Eclipse and …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question