PHP - Preventing Remote File Inclusion

Hello, this script originally works by reading a physical copy of 'bans.txt' located in the same directory. How could I get it to read the remote bans.txt located here and parse info from it like the on-site copy?

the remote file: http://108.163.211.219/bans.txt

Code: [Select]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Data Tables and Cascading Style Sheets Gallery</title>
<style>/*
Tema: Soft Table - A Simple table style with the use of the soft brown color
Author: Newton de G?es Horta
Site: --
Country Origin: Brazil
*/

table {
 font-size:0.9em;
 font-family: Arial, Helvetica, verdana sans-serif;
 background-color:#fff;
 border-collapse: collapse;
 width: 100%;
}
caption {
 font-size: 25px;
 color: #1ba6b2;
 font-weight: bold;
 text-align: left;
 background: url(http://www.nghorta.com/csstg/header_bg.jpg) no-repeat top left;
 padding: 10px;
 margin-bottom: 2px;
}
thead th {
 border-right: 1px solid #fff;
 color:#fff;
 text-align:center;
 padding:2px;
 text-transform:uppercase;
 height:25px;
 background-color: #a3c159;
 font-weight: normal;
}
tfoot {
 color:#1ba6b2;
 padding:2px;
 text-transform:uppercase;
 font-size:1.2em;
 font-weigth: bold;
 margin-top:6px;
 border-top: 6px solid #e9f7f6;
}
tbody tr {
 background-color:#fff;
 border-bottom: 1px solid #f0f0f0;
}
tbody td {
 color:#414141;
 padding:5px;
 text-align:left;
}
tbody th {
 text-align:left;
 padding:2px;
}
tbody td a, tbody th a {
 color:#6C8C37;
 text-decoration:none;
 font-weight:normal;
 display:block;
 background: transparent url(http://www.nghorta.com/csstg/links_yellow.gif) no-repeat 0% 50%;
 padding-left:15px;
}
tbody td a:hover, tbody th a:hover {
 color:#009193;
 text-decoration:none;
}
/* tr:nth-child(even) {
    background-color: grey;
} */
</style></head>
<body>

<table summary="Submitted table designs">
<thead><tr>
<th style="font-size:12px" scope="col"><center>Nickname</center></th>
<th style="font-size:12px" scope="col"><center>Admin</center></th>
<th style="font-size:12px" scope="col"><center>Banned</center></th>
<th style="font-size:12px" scope="col"><center>Reason</center></th>
<th style="font-size:12px" scope="col"><center>SteamID</center></th>
<th style="font-size:12px" scope="col"><center>Length</center></th>
<th style="font-size:12px" scope="col"><center>Status</center></th>
</tr></thead>


<tbody>

<!-- <tr><th scope="row" id="r100"><a href="100.php">rows table template</a></th>
<td><a href="http://www.adobati.it">Omar '0m4r' Adobati</a></td><td>Italy</td>
<td>Simple, clean and a quite classic table template :)</td>
<td><a href="http://www.adobati.it/labs/CSSTable/0m4r.table.css" title="Download the rows table template CSS file">Download</a></td>
<td>test</td>
<td>test2</td>
</tr> -->




<?php

// Credits to justin as he was able to understand my messy PHP code and do this much better code for me.

function buildBanList($arr)
{

$filename = "bans.txt";

$bans = array();

$tmp_array = array();



// Build Ban Array
if (file_exists($filename)) 
{
foreach( $arr as $line )
{



if( substr(trim($line), 0, 7) == '"STEAM_' )
{

$tmp_array["user_steamid"] = str_replace('"', '', trim($line));

}



if( substr(trim($line), 0, 6) == '"time"' )
{

$tmp = explode(' ', trim($line));

$tmp_array["user_bantime"] = str_replace('"', '', $tmp[1]);

}



if( substr(trim($line), 0, 15) == '"modified_time"' )
{

$tmp = explode(' ', trim($line));

$tmp_array["user_modified"] = str_replace('"', '', $tmp[1]);

}



if( substr(trim($line), 0, 7) == '"unban"' )
{

$tmp = explode(' ', trim($line));

$tmp_array["user_unban"] = str_replace('"', '', $tmp[1]);

}



if( substr(trim($line), 0, 7) == '"admin"' )
{

$tmp = explode('" "', trim($line));

$tmp2 = explode('(', $tmp[1]);

$tmp_array["admin_name"] = str_replace('"', '', $tmp2[0]);

}



if( substr(trim($line), 0, 6) == '"name"' )
{

$tmp = explode('" "', trim($line));

$tmp_array["user_name"] = str_replace('"', '', $tmp[1]);

}



if( substr(trim($line), 0, 8) == '"reason"' )
{

$tmp = explode('" "', trim($line));

$tmp_array["user_reason"] = str_replace('"', '', $tmp[1]);

}



// Save ban record to main array once detected end.

if( substr(trim($line), 0, 1) == '}' )
{

// If console ban then set required fields.

if( $tmp_array["admin_name"] == "")
$tmp_array["admin_name"] = "Console";

array_push($bans, $tmp_array);
$tmp_array = array();

}

}
}



//Sort Array by Ban Date

$tmp = array(); 

foreach($bans as &$ma) 

    $tmp[] = &$ma["user_bantime"];

array_multisort($tmp, SORT_DESC, $bans); 



return $bans;



}



//Begin Presentation



$file = file("./bans.txt");

date_default_timezone_set("Europe/London");



$bans = buildBanList($file);



foreach ($bans as $ban)

{

echo '<tr>
';

// Output
if ($ban["user_name"] != '')
echo '<td style="text-align:center; font-size: 12px">'.$ban["user_name"].'</td><td style="text-align:center; font-size: 12px" class="admin">';
else
echo '<td style="text-align:center; font-size: 12px"><span style="color:#FF0000">N/A</span></td><td style="text-align:center; font-size: 12px" class="admin">';


echo $ban["admin_name"].'</td><td style="text-align:center; font-size: 12px">'.date('H:i - d/m/y',$ban["user_bantime"]).'</td>';

/* Unban date.
if ($ban["user_unban"] != "0")
{

echo date('H:i - d/m/y',$ban["user_unban"]);

} else {

echo "Never";

}*/


 echo '<td style="text-align:left; font-size: 11px">'.$ban["user_reason"].'</td>';


// Status
$today = strtotime("now");
echo '</td><td style="text-align:center; font-size: 12px">'.$ban["user_steamid"].'&nbsp;&nbsp;</td>';

// Ban Length
$date1 = date('y-m-d H:i:s',$ban["user_bantime"]);
$date2 = date('y-m-d H:i:s',$ban["user_unban"]);
$to_time=strtotime($date1);
$from_time=strtotime($date2);

$ban_length = round(abs($to_time - $from_time) / 60,0);
if ($ban["user_unban"] != "0")
{
// Days
if ($ban_length >= 1440)
{
$ban_length = round(abs($to_time - $from_time) / 24 / 60 / 60,0);
// Years couldn't be arsed to think of another way to do it.
if ( $ban_length >= 365 )
{
$ban_length = round(abs($to_time - $from_time) / 360 / 24 / 60 / 60,0);
if ($bans_length > 1)
echo "<td style=\"text-align:center; font-size: 12px\">".$ban_length." Years </td>";
else
echo "<td style=\"text-align:center; font-size: 12px\">".$ban_length." Year </td>";
}
else
echo "<td style=\"text-align:center; font-size: 12px\">".$ban_length." Days </td>";
}
// Hours
else if ($bans_length >= 60)
{
$ban_length = round(abs($to_time - $from_time) / 60 / 60,0);
if ($bans_length > 1)
echo "<td style=\"text-align:center; font-size: 12px\">".$ban_length." Hours </td>";
else 
echo "<td style=\"text-align:center; font-size: 12px\">".$ban_length." Hour </td>";
}
else
echo "<td style=\"text-align:center; font-size: 12px\">".$ban_length." Minutes </td>";
}

else {
echo "<td style=\"text-align:center; font-size: 12px\">Permanent</td>";
}

if ($ban["user_unban"] == "0")
echo '<td style="text-align:center; font-size: 12px"><span style="color:#FF0000">Banned</span></td>';

else if ( $today  > $ban["user_unban"] )
echo '<td style="text-align:center; font-size: 12px"><span style="color:#008000">Expired</span></td>';

else
echo '<td style="text-align:center; font-size: 12px"><span style="color:#FF0000">Banned</span></td>';

echo '</tr>';


}

?></table>

<center><p>Web-based ULX bans by Russy.</p></center>

</div>



</body>

</html>
I've tried experimenting w/ stuff like

Code: [Select]
$filename = "http://108.163.211.219/bans.txt";
$contents = file_get_contents($filename);
but it doesn't seem to want to work.

What's the proper way to check if a file exists on a remote server? I know file_exists() works for you local files.

I think i need to use something like the following. BUT if the file is not found PHP throws a warning. I know i can put a '@' before fopen() but that just masks the error.

Code: [Select]
<?php
if(fopen("http://www.othersite.com/imageXYZ.jpg", "r"))
{
echo "File exists.";
}
else
{
echo "File does not exist.";
}
?>

Hi,

I have a video site with a lot of content hosted. I recently shifted to a CDN solution.

The problem now is that I cannot force user to download the file. The files just open in the browser window.

When the user clicks on download, I just use

header ("location: http://cndserver/file.mov");

What can I do to force download a file stored on a remote server?

Any help is appreciated.

Thanks in advance.

This one stumped me, but maybe someone has figured it out. 
I'm trying to write a script that is able to decide whether a remote url is a directory or a file, this is fine until it comes to mod_rewrite(rewritten?)  urls.

ex.
http://www.example.com/test

Now this could be test.php,test.html etc., but in the rare case, it could also be a folder (example.com/test/index.php).

Anyone have any ideas?

hey friends i badly need one help

i want to read some remote file say http://xyz.com/my.file

when i download using wget in shell its reading with more than 4mbps but when i use fread/file_get_contents/curl function in php script its read with too slow speed

please help me please 

Following on from a discussion in the IRC #help chat I wanted to open a discussion on the best method to upload an file to a remote server through a web service. It is a little more complex than that simple explanation so let me go into more detail.

You have the client accessing a website which is hosted on ServerA, through their computer which is the files origin. The web service is housed on ServerB and the remote upload target server is ServerC. I'm looking to upload the file through the web service on ServerB.

The purpose of this is to prevent ServerA from knowing the target location for the upload, ServerC. ServerA must be able to take the file from the computer, pass it to the web service on ServerB which streams it through to ServerC. The file shoul not be saved on any one of the hops through to ServerC, it should be streamed straight through.

Computer (file) ---> ServerA (Apache) ---> ServerB (Web Service) ---> ServerC (File target location)

If youn think this is possible, what is your best suggested method of uploading the file. Currently, I'm looking at using cURL and the SoapClient to access the web service and upload the file. I'm yet to research if this is possible and would like to know if anyone else has a better method/suggestion?

Regarding my job, I just need to connect ServerA with ServerB and stream the file somehow for the clients computer...

Warning: include(): Failed opening 'lang/en.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/name/public_html/db/config.php on line 13

What does the for inclusion mean.   Line 13:

include 'lang/'.$_SESSION['default_lang'].'.php';

Thank you.

Purpose: To get time zone of a remote file in my time zone. I have to download a file daily (mp3, don't worry its legal!) from BBC. Problem is that sometimes BBC doesn't update the file and i have to download entire file to check if it has been updated or not. Hence i decided to code a page that gives me date and time of that remote file. I have successfully compiled the code (that i got from internet). But the time returns in EST. I want the time in IST (indian std time Asia/Calcutta). CURLINFO_FILETIME has bee used. Below is code.

Pls suggest me how to convert EST to IST - Warning: I am a newbie. But i can follow instructions

Code: [Select]
<?php
$curl = curl_init('http://wsdownload.bbc.co.uk/hindi/tx/32mp3/din_bhar.mp3');

//don't fetch the actual page, you only want headers
curl_setopt($curl, CURLOPT_NOBODY, true);

//stop it from outputting stuff to stdout
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);

// attempt to retrieve the modification date
curl_setopt($curl, CURLOPT_FILETIME, true);

$result = curl_exec($curl);

if ($result === false) {
    die (curl_error($curl)); 
}

$timestamp = curl_getinfo($curl, CURLINFO_FILETIME);
if ($timestamp != -1) { //otherwise unknown
    echo "BBC Hindi was last modified" . date("d-m-Y h:i:s A T", $timestamp); //etc
} ?>


I have used it with custom getRemoteFileSize function he -
Code: [Select]
http://island.web44.net/bbc.php

I need to check (from a Debian server to a Mac CLIENT (not server) machine) to see if a file exists on the file system...not an http server.

Here's what I've tried (based on reading at http://www.php.net/manual/en/function.ssh2-exec.php)

Code: [Select]
<?php
function check_remote_files($username, $hostname, $remote_file)
{
$connection = ssh2_connect($hostname, 22, array('hostkey'=>'ssh-rsa'));

if (ssh2_auth_pubkey_file($connection, $username,
                          '/root/.ssh/id_rsa.pub',
                          '/root/.ssh/id_rsa', '')) 
{
echo "Public Key Authentication On Server #2 Successful\n";
}

$url = "if ssh $hostname stat $remote_file \> /dev/null 2\>\&1";
$stream=ssh2_exec($connection,$url);
    stream_set_blocking( $stream, true );
    $cmd=fread($stream,4096);
fclose($stream);

$stream=ssh2_exec($connection,"then");
    stream_set_blocking( $stream, true );
    $cmd=fread($stream,4096);
fclose($stream);

$stream=ssh2_exec($connection,"echo File exists");
    stream_set_blocking( $stream, true );
    $cmd=fread($stream,4096);
fclose($stream);

$stream=ssh2_exec($connection,"else");
    stream_set_blocking( $stream, true );
    $cmd=fread($stream,4096);
fclose($stream);

$stream=ssh2_exec($connection,"echo Not found");
    stream_set_blocking( $stream, true );
    $cmd=fread($stream,4096);
fclose($stream);

$stream=ssh2_exec($connection,"fi");
    stream_set_blocking( $stream, true );
    $cmd=fread($stream,4096);
fclose($stream);

}
?>

NOTHING happens after the echo of Public Key Authentication On Server #2 Successful.

I'm running this script from a bash shell.

Any ideas what might be wrong?

Thanks.

Hey guys I m developing a download system for my server that reads files from a third party server and enables MY USER to download it via my URL. What mechanisms should i use to manage this efficiently ???


file_get_contents();
fopen();


Or should I use some kind of buffer mechanism ??? Please do provide a code sample as I'm stuck here very badly.

Note: The file sizes may be >500MB

I have a php script on a server writing to an html file on a remote server. I'm using the following combination of fopen and fputs. The problem is that once out of maybe every 10 or 15 writes to the file, the file that is written is blank with nothing in it.

Has anyone here had experience with this before? The file is fixed the next time it writes to it. this code is within a loop that runs every 10 seconds.



Code: [Select]
// Allows overwriting of existing files on the remote FTP server
$stream_options = array('ftp' => array('overwrite' => true));

// Creates a stream context resource with the defined options
$stream_context = stream_context_create($stream_options);

// Opens the file for writing and truncates it to zero length
if ($fh = fopen($ftp_path, 'w',0, $stream_context))
{

if ( $change > 0   )
fputs($fh, "the contents of the html file is here");      //the case if change is positive

else
fputs($fh, "the contents of the html file is here");   //the case if change is negative

// Closes the file handle
fclose($fh);
}
else
{
die('Could not open file.');
}

When I Google the above string I find a lot of advice about using SFTP, turning on blocking, upgrading libraries and such, however, the code that does this seems to work during some operations and not work during others, so I don't think it's a matter of a buggy library. If I could find out why it cannot create the remote file, that might do a world of good. But I've been through all of /var/log and some log messages acknowledge the ssh session, but don't give any clues as to what goes wrong.
I've looked at the user, password, host name and port name in and around the ssh2_connect() call. They are all good. I've also checked the permissions and ownership on the destination directory. They aren't the problem either. I've also tried duplicating the call w/a command-line scp call, and that test passes also.
So now find myself staring at this "failure creating remote file" message, wondering what the failure is, and I'm running out of ideas.
I'm running RHEL AS release 4.

I am trying to write a php/mysql that will allow a church keep attendance on their members in bible study. I am also going to try to prevent doing a circular reference between tables and just can't figure it out how since I am just starting to learn mysql. Here are the tables:   Table 1: Members: --------------- 1:Name: 2:Address: 3:Bible Study Group it belongs to:   Table 2: Cells -------------- 1:Bible Study Lider: 2:Bible Group Name   Table 3: Attendance -------------- 1:Date 2:Member 3:Bible Group   As you all can see, Table 2:2 makes a lookup at Table 1 for the member(in this case, the leader). BUT Table 1:3 makes a lookup to Table 2:2 and is a circular lookup.   Anyone have an idea on how to properly do this without any circular problems?   Thanks in advance!          

I know that the following lines of code can be used to prevent errors from being displayed:

Code: [Select]
<?php
error_reporting(0);
ini_set('display_errors', 0);
?>

Is there a reason to use one over the other? Is it better to use both?

Basically, I have the following code ($c2 is my connection variable):
Code: [Select]
$rid = $_GET['id'];
$q = mysql_query("SELECT * FROM reports WHERE id = $rid", $c2) or die(mysql_error());
$report = mysql_fetch_array($q);
$report is used later on to gather more information that is outputted to the user.

However, if in the URL, someone were to put id=1', they would have an error message spit out to them (something along the lines of: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1), indicating a SQL Injection exploit.

How would I go about fixing this, and also preventing SQL Injection?

Thanks a bunch,
Mark