32

I have two PHP files located on different servers, one at http://www.mysite.com/main.php, the other at http://www.sample.com/includeThis.php.

I want to include the second file from the first one.

The content of the second file looks like this:

<?php
$foo = "this is data from file one";

And the first file:

<?php
include "http://www.sample.com/includeThis.php";
echo $foo;

Is there any way I can do this?

NikiC
  • 100,734
  • 37
  • 191
  • 225
Desolator
  • 22,411
  • 20
  • 73
  • 96
  • 1
    Just searched on Google to arrive here. What if the other server is in the intranet of the same server? This could be very useful for code reusing at a corporate level and PHP native load balancing. – datasn.io Feb 25 '14 at 01:21
  • what about the use of API uploaded on server 1 and than use that API in your php code on other server. – Abdul Wahid Oct 07 '20 at 10:17

6 Answers6

38

Nope, this setting is disabled/not allowed by default in most web servers (php.ini) so you can not use the include to include the files from a remote addresss for security reasons.

If you still want to allow inclusion of remote files, the directive allow_url_include must be set to On in php.ini

But again it is a bad practice, in a security-oriented point of view ; and, so, it is generally disabled (I've never seen it enabled, actually)

If you want to read the contents of a remote file though, you can use the file_get_contents function instead BUT this will be returned as pure HTML markup code, there won't be any server-side code.

Sarfraz
  • 377,238
  • 77
  • 533
  • 578
  • 2
    Yes, you could use `file_get_contents` and than `file_put_contents` to store it on your server, and than use `include` on it. Though it's a dangerous and risky thing to do IMO. But possible. And you can even extract certain code from it also and write only the code that you need from the file. – SoLoGHoST May 02 '10 at 07:50
  • I have the permissions to play with php.ini I have already enabled the allow_url_include. but when I use the mentioned method. I get nothing in the variable. means the variable is null. I dont know how to pass it to the main.php I'm using this method to prevent people from cracking my scripts. so there will be part of the script on my server. thats why I need to use this method – Desolator May 02 '10 at 08:07
  • if you allow_url_include, I need to know why is risky and not good practice. Because I need to stablish a system where I can make Php sheets with license expiration date. – vincent thorpe Jun 11 '21 at 20:24
5

After reading your comments - in which you state that you want to do this as a means of copy protection - my answer is an emphatical, forget it. This is not how copy protection works.

The only thing you can do using include() is fetch source code from elsewhere to be interpreted on the local interpreter. This is childishly easy to crack: A malicious customer would to just have to echo() the fetched code.

Executing the remote script remotely (on your server) won't help you, because the state of that script (variables, functions...) won't be present in the script you call it from.

The options you have are:

  • Compiling / encoding / obfuscating the script, possibly requiring a specific PHP module to execute it (lots of questions about this on SO)

  • Creating a real web service (e.g. using SOAP) that runs on your server, and performs the requested operations

For what it's worth, though, I personally do not purchase, nor recommend to clients to purchase, encoded scripts and scripts that need to "phone home" in order to work. I believe in protecting your products through a stringent license agreement (that will scare business customers into buying your product, because the risks of getting caught stealing are too expensive.)

Pekka
  • 442,112
  • 142
  • 972
  • 1,088
2

I wonder if the OP ever found a solution for himself. As far as I know, the only way to work this would be to have all your client accounts on the same server as the scripts you want to include - I've done something similar:

/path_to_myserver_root/httpdocs/clients/client01/wwwroot/scriptA.php /path_to_myserver_root/httpdocs/clients/client02/wwwroot/scriptA.php ETC....

THEN: /path_to_myserver_root/privatefiles/myapp/scriptB.php

wwwroot is where each client domain points.

scriptA.php has some business logic then includes scriptB.php for it's functions with the full path above:

require('/path_to_myserver_root/privatefiles/myapp/scriptB.php')

scriptB.php resides in a private protected dir on the server, inaccessible by http, and not traversable by the clients.

Now mind you, my reasons for doing this is to maintain version consistency across multiple accounts, not to withhold some proprietary magical php code from my clientele - But I suppose it could be implemented for that purpose.

Meh, YMMV.

antmeeks
  • 29
  • 2
0

When you're trying to go across domains as you have suggested, you're not actually including a file that's sat there ready to do - the process is different. The machine needs to bring back the file over http which isn't what the include statement is all about.

Also, if you're on shared hosting, PHP is often configured to prevent you from going outside of your own domain.

If you aren't under this restriction, one solution might be to use PHP to copy back a copy of the file from the other server, and then include it once it's sat in your domain. Another apporach might be to write a little "deployment" script that copies it everywhere it needs to be whenever you make changes...

Hope this helps...

Martin

Martin Milan
  • 6,346
  • 2
  • 32
  • 44
  • I dont want to copy the file on the other side. because as I said before I'm using this method to prevent people from cracking my scripts. so there will be part of the script on my server. thats why I need to use this method. – Desolator May 02 '10 at 08:09
  • How does having a script on the internet help protect your scripts? I'm not sure I understand your approach... – Martin Milan May 02 '10 at 08:45
  • I have 2 scripts the first one is the main script which I will be selling to my customers. and the second has the main functions of the first script. so in order to use the script with functions. user must be authenticated in order to get the included functions. means the main script is depending on the functions script. if any cracker tries to null the script it will not work. in other words, it will be not possible to crack it because the include file is saved on my server. so no one can access it unless if he was a legit customer. I hope you understand what im trying to do here. – Desolator May 02 '10 at 14:13
0

rename the first one to .txt
then think twice, are you sure you need cross-domain include

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
0

Use file_get_contents, to open up the file, append it to the second file like so:

$secondFile = file_get_contents('http://www.sample.com/includeThis.php');
file_put_contents('your_file', $secondFile, FILE_APPEND);

This will work if you want to put it at the end of your file. Than just do an include on your file.

Anyways, like I said, this is risky and dangerous IMO, especially if you aren't sure about the content it has inside of it.

Also, your_file will need to be an actual server path, not a URL.

SoLoGHoST
  • 2,673
  • 7
  • 30
  • 51