Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
04-12-2006, 08:45 AM
|
#1
|
|
Member
Registered: May 2005
Distribution: Mandriva 2006 Free
Posts: 67
Rep: 
|
Using PHP to run a script on another server
In a project I'm working on at the minute, using PHP, I need some way for a PHP script on one server to notify a PHP script on a completely different server that it needs to update its database. The first script will have to pass some information into the second script and possibly get an error code back. All communication should be done over HTTP.
My first solution was a method that involved security by obscurity - that is, just running a script that noone knows about, but it would of course be fairly simple to find out about it and send in malicious data.
So, I'd like some suggestions of how to do this with minimal possibility for exploiting by malicious individuals.
Any ideas would be very much appreciated.
TIA,
- QS Computing.
|
|
|
|
|
04-12-2006, 09:24 AM
|
#2
|
|
Senior Member
Registered: Nov 2005
Location: Hanoi
Distribution: Fedora 13, Ubuntu 10.04
Posts: 2,375
Rep:
|
Here are a few thoughts that go beyond the log in as user on the second system.
Since you know which machine the request is coming from you could use the IP address as part of your security solution. Essentially only allow the second script to run if the request comes from a particular IP address.
Establish a password exchange as follows:
server 1 says hello
server 2 says give me the encrypted password with the following salt
server 1 receives the salt and so encrypts the password something like: md5(password.salt)
server 2 checks the encrypted value and accepts the transaction - or not!
Rather than get the first server to send the information, get the second server to take it from the first server. That way it makes it harder for a third part to provide malicious data.
graeme.
|
|
|
|
|
04-12-2006, 10:28 AM
|
#3
|
|
Member
Registered: May 2005
Distribution: Mandriva 2006 Free
Posts: 67
Original Poster
Rep:
|
I think the method of taking it from the second server sounds best. So, if I get the first server to poll the second server, and then it runs a script to take the data back from the first server, that should eliminate the security issues somewhat. It's not really an issue if the data is seen; it's fairly public data anyway.
|
|
|
|
|
04-12-2006, 10:41 AM
|
#4
|
|
Senior Member
Registered: Nov 2005
Location: Hanoi
Distribution: Fedora 13, Ubuntu 10.04
Posts: 2,375
Rep:
|
You will need to keep track of the files but that is quite simple.
It may work as follows:
server 1 tells server 2 the data is ready
server 2 runs the script and gets the data from server 1 and thus updates the database
Now someone finds this script and wonders what does it do, and so runs it.
server 2 runs the script and gets the data from server 1, but realises that it has already run this data file and so ignores it.
(The data file could have a timestamp header, requiring server 1 to send the name of the file will help but you don't want anyone getting lucky!)
|
|
|
|
|
04-12-2006, 10:49 AM
|
#5
|
|
Member
Registered: Apr 2002
Location: Windsor, ON, CA
Distribution: Ubuntu
Posts: 740
Rep:
|
If the 2nd server has SSL, just use curl and send the password w/ the request. SSL will ensure no one sees the password.
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 03:59 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
