Software, your way.
burger menu icon
WillMaster

WillMaster > LibrarySecurity and Blocking

FREE! Coding tips, tricks, and treasures.

Possibilities weekly ezine

Get the weekly email website developers read:

 

Your email address

name@example.com
YES! Send Possibilities every week!

Risks of Importing Remote Content with PHP

Some websites offer PHP code for importing certain content into your web pages.

There are some risks. This article discusses how to reduce it a bit in some circumstances. Other risks can't be reduced or eliminated. With more information, you may decide if the risk is acceptable.

Why Use PHP?

Content imported with PHP becomes part of the web page source code. Therefore, search-engine robots see PHP-imported content like they see the content of any static web page.

As examples, the PHP code offered by the websites may import

  • blog post titles,
  • a book or product inventory list,
  • an ad,
  • a complete article,
  • the saying of the day, or
  • a schedule of events.

Some Risks

Whether importing with JavaScript, PHP, or other method, the remote website should be trusted to never include malicious code. You're placing your website and your visitors at the mercy of the vendor providing the code.

This isn't meant to be an alarmist article. Let me mention just a few of the risks to stress the need to trust the content vendor. The imported content could:

  1. Get counts of your traffic.

  2. Read cookies your website has set.

  3. Determine your visitor's IP addresses. Find out where they came from, how long they stay, and if they're repeats.

  4. Anything JavaScript can do, such as replacing the content of the entire page, redirecting browsers to other websites, displaying inappropriate ads, and offering trojans or viruses to visitors.

The Riskier PHP Functions

PHP code that imports with certain functions are riskier than code that imports with other functions.

These four functions, when used for importing PHP content from remote websites, allow PHP code to be executed on your page as if you had typed it in yourself:

  • include()
  • include_once()
  • require()
  • require_once()

When importing with those functions, the PHP code delivered by the remote site could read any file on your server accessible with PHP and change or delete any files on your server writable with PHP.

Because those functions run PHP code on your server, try to use them only when the vendor is trusted absolutely, the content is necessary for your site, and it's the only way the content can be obtained.

Less Risky PHP Functions

These two functions import content without running PHP code on your server that might be embedded within the imported content. Although still with risks, it's much safer to use these than the ones mentioned above.

  • readfile()
  • file_get_contents()

If the remote content must run PHP code on your server in order to publish the entire content, then neither of those two functions will work. In that case, it may be prudent to seriously question whether or not you really need the content from that particular vendor.

Using the PHP Functions

The Import Search-engine-friendly Content article describes various ways to use PHP functions for importing content.

There always are risks when using other people's content that's imported from their websites. The risks are inherent because you don't control what's published — the content vendor controls it.

Therefore, it's prudent to import content only from reputable vendors you trust.

(This article first appeared in Possibilities ezine.)

Will Bontrager

Was this article helpful to you?
(anonymous form)

Support This Website

Some of our support is from people like you who see the value of all that's offered for FREE at this website.

"Yes, let me contribute."

Amount (USD):

Tap to Choose
Contribution
Method

All information in WillMaster Library articles is presented AS-IS.

We only suggest and recommend what we believe is of value. As remuneration for the time and research involved to provide quality links, we generally use affiliate links when we can. Whenever we link to something not our own, you should assume they are affiliate links or that we benefit in some way.

How Can We Help You? balloons
How Can We Help You?
bullet Custom Programming
bullet Ready-Made Software
bullet Technical Support
bullet Possibilities Newsletter
bullet Website "How-To" Info
bullet Useful Information List

© 1998-2001 William and Mari Bontrager
© 2001-2011 Bontrager Connection, LLC
© 2011-2024 Will Bontrager Software LLC