Alternative to PHP 'Include'?

[Gene]

I have many different websites, each one using a php include to insert content from my main source website. All are on the same server, and the server is set to allow php includes from one url to another. No problem.

I'd like to be able to include content in websites that reside on other servers (that I do not have control over). I want various site owners to be able to include my html content regardless of where they are hosted.

Is there a way to do this without the site owner having to custom tweak server settings? Is there another method other than php includes or iframes?

Thanks!

 

[eagle12]

You could probably use file_get_contents to pull the html.

 

[EGS]

An alternative to a PHP include is require but then again these won't work if you have PHP safe mode enabled - people won't be able to pull content from your site and place it on theirs since they're not on the same server.

The best way to accomplish this would be through PHP and JavaScript, and possibly even AJAX. That's how Google does it with ad serving and how a lot of sites allow content to be displayed on other sites. This also gives you some control too, ie, you can force link-backs to your site and more.

 

[alibaba]

i might not understand u

but curl seems to me right choice with php

 

[Gene]

The best way to accomplish this would be through PHP and JavaScript, and possibly even AJAX.

Thanks, but I wouldn't know where to begin. I was hoping for a solution fairly simple to apply, like a php include.

i might not understand u

but curl seems to me right choice with php

What? lol

 

[Kate]

I'd like to be able to include content in websites that reside on other servers (that I do not have control over). I want various site owners to be able to include my html content regardless of where they are hosted.

Gene it is very dangerous to include external code. For example you might include malicious code that would send your config files passwords etc to a hacker

 

[Gene]

Gene it is very dangerous to include external code. For example you might include malicious code that would send your config files passwords etc to a hacker

Thanks Kate... but isn't there a way to simply "feed" a basic HTML page content to another site without being 'dangerous'?

I mean, in a similar way to placing an image on YOUR webpage that resides on MY server. Can't this be done safely with other types of content? Like an isolated html page?

 

[alibaba]

Thanks, but I wouldn't know where to begin. I was hoping for a solution fairly simple to apply, like a php include.



What? lol

u lol urself

 

[shreder]

file_get_contents would be a good option.

What are you trying to do? show TEXT from the main server in a page on another server or include PHP files?
You could also check XML...

 

[Jim_]

Using include() is dangerous. Back in the day, my friends and I would seek out sites using some stupid code like ' include($_GET['page']); ' and pass them a GET variable of something like 'http://mysite.com/sscript.txt' which was a plain text file containing a php script. With a php include(), the file is not only read, but executed after being loaded. We often ran php shell scripts on other people's servers which gave us access to a good portion of their server.

I often hear of people nowadays using lists of sites with these RFI's (remote file inclusions) to run spamming scripts. In your case, the files being included are stored on your server, so it's fairly safe, but even so, it's not good practice and many web hosts disable the ability to include() from remote hosts.

The better options:

file_get_contents method

<?php echo file_get_contents(urlencode("http://www.site.com/file.html")); ?>

(the urlencode is there just in case you have special characters in your URL - if not, you can leave it out)

fopen method

<?php
$f = fopen(urlencode("http://www.site.com/file.html"), "r");
$content = "";
while($line = fread($f, 1024))
{
      $content .= $line;
}
echo $content;
?>

cURL method (only works for servers with cURL library installed)

<?php
$c = curl_init();
curl_setopt($c, CURLOPT_URL, urlencode("http://www.site.com/file.html"));
curl_setopt($c, CURLOPT_HEADER, 0);
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
$content = curl_exec($c);
curl_close($c);

echo $content;
?>

All of the cURL options and settings can be found here

If none of those options work, there's always javascript.

 

[Gene]

The better options:

file_get_contents method

<?php echo file_get_contents(urlencode("http://www.site.com/file.html")); ?>

(the urlencode is there just in case you have special characters in your URL - if not, you can leave it out)

Okay, now we're getting somewhere! I just tried this method and it seems to work fine from one server to another. Is there any security risk for me if I'm feeding the file from my server, allowing an outside website to put this line of code on their website to display the content?

Thanks a million!

 

[Jim_]

Nah. It's no different from someone with a web browser viewing your webpage, only it's another web server loading it.

 

[Gene]

Nah. It's no different from someone with a web browser viewing your webpage, only it's another web server loading it.

That's what I figured... in that case, it's the solution I was after! Thanks Man... Sending some NP$ your way

 

[qbert220]

Is there any security risk for me if I'm feeding the file from my server, allowing an outside website to put this line of code on their website to display the content?

Yes. This potentially leave your site open to cross-site scripting (XSS) security problems.

The basic principal of which is that a malicious person feeding content to your site could inject some JavaScript to read some privilidged information and relay that back to the attacker.

An example of this attack in use would be:

1. Legitimate user logs into a site.
2. Legitimate user visits page on same site with XSS vulerability.
3. XSS script (executing on legitmate user's browser) sends login cookie to attacker.
4. Attacker uses Legitate user's login cookie to gain access to legitmate user's account.

 

[Gene]

Yes. This potentially leave your site open to cross-site scripting (XSS) security problems.

The basic principal of which is that a malicious person feeding content to your site could inject some JavaScript to read some privilidged information and relay that back to the attacker.

An example of this attack in use would be:

1. Legitimate user logs into a site.
2. Legitimate user visits page on same site with XSS vulerability.
3. XSS script (executing on legitmate user's browser) sends login cookie to attacker.
4. Attacker uses Legitate user's login cookie to gain access to legitmate user's account.

Thank you for this additional information. When you say a XSS script could be executed on a legitimate user's browser, wouldn't that be true regardless of using the aforementioned code? I'm not understanding how using that code opens any doors. If you'd like to PM me as to not post this information publicly I'm listening.

Thanks again.

Specifically, this code:

  <?php echo file_get_contents(urlencode("http://www.site.com/file.html")); ?>

 

[Eric]

Thank you for this additional information. When you say a XSS script could be executed on a legitimate user's browser, wouldn't that be true regardless of using the aforementioned code? I'm not understanding how using that code opens any doors. If you'd like to PM me as to not post this information publicly I'm listening.

Thanks again.

Specifically, this code:

  <?php echo file_get_contents(urlencode("http://www.site.com/file.html")); ?>

This code would not open any doors on your server. They're just reading a file you have control over.

 

[qbert220]

If site1.com and site2.com are maintained by different people and site1.com includes the following code on their server:

 <?php echo file_get_contents(urlencode("http://www.site2.com/file.html")); ?>

then the owner of site2.com could inject site1.com with an XSS script. Also, if site2.com is hacked, then site1.com could also be vulnerable to a XSS injection by the hacker.

 

[Gene]

If site1.com and site2.com are maintained by different people and site1.com includes the following code on their server:

 <?php echo file_get_contents(urlencode("http://www.site2.com/file.html")); ?>

then the owner of site2.com could inject site1.com with an XSS script. Also, if site2.com is hacked, then site1.com could also be vulnerable to a XSS injection by the hacker.

Thank you for that clarification, I appreciate it!

 

[cerebus]

It does not solve all or even most of security issues but the 2 common and widespread ways to share viewer-ready content with other sites is by including an external javascript file (meaning your file.html is a file.js that has document.write() instructions) or using an iframe to hold the external html (does not give the same native dynamic sizing but limits security issues). These two are by far the most common among less trusted sites no matter if its trackers/counters, ads, widgets or html snippets thats being shared.

It is common that mashup sites likes to parse their own (raw) data from XML/JSON/whatever web services instead but including an external html code straight out is nothing popular or commonly practiced from either one side.

 

[Keral_Patel]

Best way is use XML to deliver the data and PHP to parse it on the sites receiving the data.