It's a bit like grabbing global script snippets and compile after putting them together on a different server.
<?php
$var = 'main.php';
file_put_contents("local_sub.php", file_get_contents("http://noexecution.tld/sub.php") );
include "local_sub.php";
echo $var;
?>
sub.php | line 1 notcompiled<br>
<?php $var = 'sub.php | line 2 compiled later<br>'; ?>
sub.php | line 3 notcompiled<br>
sub.php | line 1 notcompiled
sub.php | line 3 notcompiled
main.php
sub.php | line 1 notcompiled
sub.php | line 3 notcompiled
line 2 compiled later
My own workaround is to simply switch the extension from sub.php to sub.whatever and rename it "on the fly".
The sourcecode is the same but changed
file_get_contents("http://noexecution.tld/sub.php") to
file_get_contents("http://noexecution.tld/sub.DontCompileAsPhp").
<?php
$var = 'main.php';
file_put_contents("local_sub.php", file_get_contents("http://noexecution.tld/sub.DontCompileAsPhp"));
include "local_sub.php";
echo $var;
?>
The sourcecode is the same but without php extension it will not be compiled as php as well.
sub.php | line 1 notcompiled<br>
<?php $var = 'sub.php | line 2 compiled later<br>'; ?>
sub.php | line 3 notcompiled<br>
sub.php | line 1 notcompiled
sub.php | line 3 notcompiled
line 2 compiled later
I want to have a clean way to defer the compiling without playing around with extensions...
__halt_compiler(); [...]
ob_start(); [...]
any help is very welcome - thanx in advance | BTW: it's my very first question
As @Dagon stated in the comments, you'll create a huge security hole in your application when simply open your scripts to the world.
Since what you want to achieve is to share the scripts between several applications/servers, I can think in at least 2 ways to do that:
The second is the better option, both due security and performance. Doing that you don't need to access another server during execution to fetch the scripts, and you'll have a local copy of all shared scripts.
You can also use a dependency manager, like Composer (https://getcomposer.org/), to easily add your scripts to new applications.
First, and correct me if I am wrong, php is an interpreted language not a compiled one.
Well as for your question, I would highly unrecommend putting your code at plain sight. It is true a hacker would need to know the exact file name of the file to be able to access it, but still it is a security risk I wouldn't take. So, the fastest and easiest solution I can think of is :
Protect your scripts folder in noexecution.tld/scripts
with a .htaccess file that should look like this :
AuthType Basic
AuthName "Do you have security clearance for this ?"
AuthUserFile /path/to/.htpasswd
Require valid-user
and a .htpasswd that should look like this (for admin:admin authentication):
admin:$apr1$kO7YWurq$QHrgAbwXAyNZJfBd/gEc71
You can use this link to generate the .htpasswd file for any user:password you like
You can either continue changing your php scripts extensions, or just append this to your .htaccess to have your php files in the underlying folders treated as binary files :
AddType application/octet-stream .php
As for how to access the files in noexecution.tld/scripts
now from PHP on execution.tld/*.php
you need to setup basic authentication with curl. If you do not know how to implement that, check out this tutorial
You could use a warpper script (e.g. download.php) on the noexecution.tld Server which delivers the plaintext of your php files, as I suggested at Update local php file from remote php file
<?php
$file = $_SERVER['DOCUMENT_ROOT'] . $_GET['file'];
// @TODO: Add security check if file is of type php and below document root. Use realpath() to check this.
header("Content-Type: text/plain");
header("Content-Disposition: attachment; filename=\"$file\"");
readfile($file);
?>
This would be called like http://noexecition.tld/download.php?file=sub.php
But: You have to add security precautions to this script as it would delivery any file to the calling script even sensible files like configuration files.
Possible checks:
The "workaround" you have come up with is the only solution, although there are some variants. What you are doing is not really "delaying execution of a script", you are just serving some text on a (presumably public) web page which happens to be PHP source code.
The server hosting that text file has no control of what you do when you download it, so the code that later executes it is basically irrelevant (as is the name of the temporary file you save it to - include
doesn't check the file extension).
Looking at it from that point of view, there are a few ways of doing basically the same thing:
Or, of course, you could write a PHP script which echoes the PHP source code, rather than just putting the code in a text file. This would make sense if the code dynamically changes in some way, which would be closer to your description of "delaying some code execution".
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With