[Phpwm] subdomains & includes
Phil Beynon
phil at infolinkelectronics.co.uk
Wed Jan 24 09:37:18 GMT 2007
> > This is odd and perplexing.....
> >
> > I've got a subdomain site set up which has got a path to a config
> > file which contains things like database name, password etc. This is
> > brought in as an include() to the pages and works fine. On the main
> > site if I do the include with the full url it sees the file, if I do
> > echo "boo!"; in the page it does this, so I know it sees the file....
> > but its not giving up any of the variable values when they get asked
> > for.
> >
> > So: subdomain.example.com has: include(/admin/config/siteconfig.php);
> > and that works just fine for seeing the database.
> >
> > But www.example.com has:
> > include(http://subdomain.example.com/admin/configs/siteconfig.php);
> > (which can be see to be working from an echo to the page so its not
> > an incorrect path) But isnt getting any of the the values of
> > variables in siteconfig.php
>
>
> I'd have thought the obvious answer was that when you do an include
> with http:// in it, the web server is interpreting it, and sending back
> just 'boo!' and not "echo 'boo!'".
>
> In other words, include('http://.......') fetches the file from the remote
> web server. If it is a .php file, it will execute on the remote
> server, and
> return you the output from that execution. This is a big difference
> between local file opening (not through apache) and remote file opening
> (through Apache).
>
> If you wish to get around this limitation, you'd need to rename the
> remote file so it doesn't end in .php, and therefore stop Apache passing
> it's content through the PHP interpreter. This is probably insecure, so
> you might want to mix in .htaccess style authentication to stop
> $the_rest_of_the_world from accessing your database settings etc.
Yup, I normally add an ht password below the site root with an htaccess
barring any non logged in activity from the management area upwards, then
store images above that level with another htaccess to disinherit the login
requirements.
> After all, if I could do an 'include' on an arbitary php file doing
> include('http://some.where/foo/bar.php') and see it's source, I'd make
> an excellent hacker!
Sure, I realise that! :-)
> I'd strongly recommend you stick with
> include('/admin/config/siteconfig.php');
>
> thanks
> David.
>
Normally I do, thats my standard procedure - I dont normally use subdomains
much in the context of what I'm currently doing and it would have been nice
to share the same file.
I'm not sure if the server is going to allow me to use a path yet which goes
below the site root, this is a Cobaltism for the way the server handles
users, and I really dont want it logging across the filesystem as root for
obvious reasons!
Phil
More information about the Phpwm
mailing list