Home/ Questions/Q 5993469
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-22T23:40:47+00:00

I’m currently trying to allow my remote server(B) to affect my local server(A) with

  • 0

I’m currently trying to allow my remote server(B) to affect my local server(A) with a php include.
As a small test I put a php file in server A that include a file from server B, I allowed including urls via php.ini and changed my user agent.

The file on server B include code to create a small test file that is supposed to be created on server A. The problem is that everytime I run server A’s include the file gets created on server B, when I really want it created on server A.

Server A’s code:

include("http://www.XXXXXXXXX.com/Test.php");

Server B’s code:

   $ourFileName = "testFile.txt";
   $ourFileHandle = fopen($ourFileName, 'w') or die("can't open file");
   fclose($ourFileHandle);
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    On Server B, place the following line in your .htaccess file:

    AddType text/plain .php

    You need the code to be output by Server B to be read by Server A. At the moment it’s being processed on Server A.

    This will make your code visible to the public. It will also prevent any other PHP from being executed in that directory. You can use a <Files> directive to make it only apply to particular files, but it will always be available to the public. There are ways to restrict access there, both in PHP and in .htaccess.

    If you don’t want that to happen, there are ways to do that too but they’re a bit more complex.

    EDIT to respond to request
    If you want to still execute PHP on Server B and selectively include files, I’d suggest creating a new file includer.php with content like the following:

    <?php
if ('my-secret-key' == $_GET['auth']) {
    if (is_readable($_GET['file'])) {
        header('Content-type: text/plain');
        echo file_get_contents($_GET['file']);
    } else {
        header('Status: 404 Not found');
        header('Content-type: text/plain');
        die('<?php /* File not found */ ?>');
    }
} else {
    header('Status: 403 Forbidden');
    header('Content-type: text/plain');
    die('You do not have permission to access this page.');
}

    And then on your Server A:

    include ('http://example.com/includer.php?auth=my-secret-key&file=Test.php');

    You should also look at using basename() on $_GET['file'] on Server B if you can, to improve security, and hash()ing your auth parameter.

    • 0