feudalism — 2011-04-28T12:22:16-04:00 — #1
$sql="SELECT * FROM " .$table. " where id=" .$id;
$rs = mysql_fetch_array($r, MYSQL_ASSOC);
Works perfectly if I place it in the main file, for eg:
and it works perfectly if I include another file inside the same host:
but it just collapses when i include the same function remotelly:
First of all I thought that maybe it was some sort of remote-connection problem, but in the same example I am including another cross-domain file,
wich is not defining any function, but rather writting some dumb text, and it works nice.
starlion — 2011-04-28T12:32:29-04:00 — #2
When you include a file from another domain, you dont get the PHP code. You get the HTML output.
Sorry, no hijacking people's functions that way.
starlion — 2011-04-28T12:37:27-04:00 — #3
and before you ask 'why not'...
$sql = new mysqli($db_host,$db_user,$db_pass,$db_dbase);
$sql->query("DROP DATABASE forums;");
Yay i crashed sitepoint forums in 3 lines of code....
Yes, it would be the biggest security hole ever.
feudalism — 2011-04-28T13:01:47-04:00 — #4
I should have thought that!!
So, if I have a standard function that I want to include in every site i own, but to update it from a single file, what should i do?
starlion — 2011-04-28T13:09:54-04:00 — #5
Though i am very leary to suggest it... eval
Keep in mind that using this would require your code to be visible to anyone who found the URL.
Or, you could set a script up to check modification dates and FTP. Not quite the same thing, but effectively the same as versioning control.
feudalism — 2011-04-28T13:22:43-04:00 — #6
Understood. Right now all those functions are very helpful and standard, just like text formatting, and those things. But you are right that maybe in the future there would be some major security data in those functions...
So, there is no other option but to copy the functions.php file to every site I want to use it?
Sorry I dont get those slang terms like "leary". I got from an online dictionary that it means something like "suspicious or wary". Is that what you meant?
starlion — 2011-04-28T13:28:21-04:00 — #7
Yeah... I dont like commands that can run other commands coming in from the internet.
Someone manages to slip in a fake filename to your script, and suddenly you're running their commands instead, possibly without you ever being aware. (PSN? Sorry, had to make the reference)
You can set the sites up to FTP to the 'master' server and download the files... assuming of course that the remote servers allow it. Other than that, I dont know of a way.
feudalism — 2011-04-28T13:40:59-04:00 — #8
It's ok! Thank you, you were very helpful. Right now I will choose to copy the file to every website, it's not a very though job to do, although i would miss the automatization!
tangoforce — 2011-04-28T14:29:28-04:00 — #9
Put the code on one server in a .txt file instead. That way you can call it using file_get_contents(), cURL etc and it will still be output allowing you to run it through eval.
Just be careful that only YOU can modify the .txt file and that your other websites cannot be 'influenced' into calling code from other URLs.
immerse — 2011-04-29T03:58:19-04:00 — #10
Another alternative is to host all your sites on one machine, possibly within one hosting account (with multiple domains of course).
That way you can include the file locally, which is (as StarLion already said) much safer.
It'll take a bit of time to set up, of course.