[thelist] Call a php script on another server?
Anthony Baratta
anthony at baratta.com
Wed May 31 18:33:00 CDT 2006
FYI - putting the password in the Query String is not secure even if using SSL. The URL is "open" irrespective of the protocol.
If you can use SSL to secure the connection, you'll have to emulate a "post" server to server.
Another way is to us RSA encryption. Generate a public & private key. Give the Public Key to Server A, the private Key to Server B. Encrypt your password phrase on Server A, and post to Server B. Decrypt the string on Server Band verify the password phrase. If passes (and comes from a known IP) send back a result.
If you can use RSA encryption you could encrypt all the post info and secure just the postable values being sent back and forth.
Obviously you can have a second Public / Private key pair for sending from Server B back to Server A.
http://pear.php.net/package/Crypt_RSA/docs/1.0.0/Crypt_RSA/_Crypt_RSA-1.0.0_RSA_php.html
-----Original message-----
From: "Max Schwanekamp" lists at neptunewebworks.com
Date: Wed, 31 May 2006 14:22:49 -0700
To: thelist at lists.evolt.org
Subject: Re: [thelist] Call a php script on another server?
> > From: Travis Brunn
> > Is there anything particularly bad about doing something like this...
> >
> > <?phpecho "here is output from a remote secret script:
> > ";readfile
> > (http://www.myremoteserver.com/outputstuff.php?pw=secret);?>
> >
> > ...and passing a password in the querystring as a safeguard?
> > (So that if the script was executed without the password it
> > wouldn't output any content?)
>
> http://www.myremoteserver.com/outputstuff.php?pw=secret
>
> It may be obscured from the user, but http is still non-secure. Use https.
> If possible, restrict access to outputstuff.php to the IP address of the
> server reading the remote file. This restriction can be put in httpd.conf,
> .htaccess (prob best) or in the script outputstuff.php, e.g.
> <?php
> if(isset($_SERVER['REMOTE_ADDR'])
> && '192.168.1.1' == $_SERVER['REMOTE_ADDR']) echo _THEPASSWORD;
> else echo 'Bah!';
> ?>
More information about the thelist
mailing list