0

I'm having many websites installed on the same webserver. What i wanna do, is to be able to include a same file from different websites as

<?php include '/home/site/www/path/to/file.php'; ?>

and in the same time block functions like highlight_file and file so using the following code won't displays my files content

<?php echo hightlight_file('/home/site/www/path/to/file.php'); ?>

Any help will be appreciated.

MaK
  • 596
  • 4
  • 23
  • Have a look at how to [redefine built in functions](http://stackoverflow.com/questions/2326835/redefine-built-in-php-functions) – Anigel Jun 13 '13 at 13:02
  • I'm not entirely sure what you're trying to achieve here? If your plan is to allow sites to include PHP code but also prevent them from reading the contents of that same PHP code, then just blocking `highlight_file()` is only a very tiny part of the answer -- there are several other ways they could read the file. I think you're approaching the problem from the wrong angle. I don't think it's solveable in the way you want to do it. – Spudley Jun 13 '13 at 13:29
  • i'll need to give some clients an ftp access to their websites, all those websites are including a file containing DB access data, the file is not stored in the same directory as the client website so he can't view it via ftp account, but he still can use functions as highlight_file, file, file_get_contents... to reveal the php source. Any ideas ? – MaK Jun 13 '13 at 13:32
  • @user2482247 - if they include the file, could they not just echo the connection variables anyway? – Spudley Jun 13 '13 at 13:36
  • 1
    And also, if they've got a connection to the DB in their program, they can do whatever is allowed by those DB credentials, so what security have you got left to protect anyway? – Spudley Jun 13 '13 at 13:38
  • 1
    You would be better off giving each user their own set of DB credentials with limits for each user on what the DB will allow them to do (ie can only access certain tables; can't create tables; etc etc). Then you don't need a central file containing a master set of DB credentials, and so there's no need to try to come up with ways to protect it. – Spudley Jun 13 '13 at 13:41

2 Answers2

0

If you want your PHP files to be runnable but be safe from being read, your best option is to encode them.

Take a look at IonCube PHP Encoder and SendGuard , they are both very popular options to protect source code.

Blocking PHP function can work, but you'll never be safe because you can forget functions (can you reall list them all? What if there's one you actually need?), or new functions could be added in the future and if you do not block them you'd be exposed.

Alexandre Danault
  • 8,602
  • 3
  • 30
  • 33
  • Thanks for your answer, but both IonCube and ZendGuard are not free solutions If you have any tips about how can I block functions, it would be great, and if possible to block those functions only for a givin file. – MaK Jun 13 '13 at 13:15
0

...so using the following code won't displays my files content

Does that mean you want to allow other people to deploy code on the server which calls your code without revealing the PHP source? If so, then disabling highlight_file isn't going to help much. You also need to disable include, require, fopen, file_get_contents, the imap extension and several other things - which means they won't be able to access your code at all.

If you're letting other people whom you don't necessarily trust deploy code on your server then there are lots of things you need to do to isolate each account - it's not a trivial exercise and well beyond the scope of an answer here. But it's not really possible to allow access to a shared include file without providing access to the source code. Using encoded PHP solves some problems but introduces others. A better solution is to expose the functionality via a web or socket API (this solves the sharing problem but not the isolation problem).

symcbean
  • 47,736
  • 6
  • 59
  • 94
  • i'll need to give some clients an ftp access to their websites, all those websites are including a file containing DB access data, the file is not stored in the same directory as the client website so he can't view it via ftp account, but he still can use functions as highlight_file, file, file_get_contents... to reveal the php source. Any ideas ? – MaK Jun 13 '13 at 13:30
  • Sounds like you need a **lot** of help with this; your question is just the tip of a very large iceberg. Sorry I don't have a couple of days which might turn into a couple of weeks to spend working on this. – symcbean Jun 13 '13 at 13:35