Cross-Domain PHP Include

In the increasingly connected internet applications, someone somewhere is bound to use include() function for cross-domain linking. Is it possible ?

Well, first of all, it is not recommended. But, yes it is possible:

If “URL include wrappers” are enabled in PHP, you can specify the file to be included using a URL (via HTTP or other supported wrapper – see Supported Protocols and Wrappers for a list of protocols) instead of a local pathname. If the target server interprets the target file as PHP code, variables may be passed to the included file using a URL request string as used with HTTP GET. This is not strictly speaking the same thing as including the file and having it inherit the parent file’s variable scope; the script is actually being run on the remote server and the result is then being included into the local script.

Windows versions of PHP prior to PHP 4.3.0 do not support access of remote files via this function, even if allow_url_fopen is enabled.

Example #3 include through HTTP
/* This example assumes that is configured to parse .php
* files and not .txt files. Also, 'Works' here means that the variables
* $foo and $bar are available within the included file. */
// Won't work; file.txt wasn't handled by as PHP
include '';
// Won't work; looks for a file named 'file.php?foo=1&bar=2' on the
// local filesystem.
include 'file.php?foo=1&bar=2';
// Works.
include '';
$foo = 1;
$bar = 2;
include 'file.txt'; // Works.
include 'file.php'; // Works.

Security warning

Remote file may be processed at the remote server (depending on the file extension and the fact if the remote server runs PHP or not) but it still has to produce a valid PHP script because it will be processed at the local server. If the file from the remote server should be processed there and outputted only, readfile() is much better function to use. Otherwise, special care should be taken to secure the remote script to produce a valid and desired code.

See also Remote files, fopen() and file() for related information.

Source: PHP Manual

But, as the PHP manual states, it is a security risk. It should be used cautiously.

A better way is to use other functions in PHP, such as file(), file_get_contents(), fopen() and its family or use the cURL library built in PHP.

The best way, in my opinion is to create an API, something that I am personally developing for my personal projects. And I am also doing an API together with the team at IdeaLounge Indonesia as the base platform for all their applications.

With API, you can protect access to it. Right now I am using Oauth. Still learning a lot there.

Back to topic.

Why does this topic comes up ? Because when developing application, we will encounter repetition. Lots of it. Which is why we have classes and libraries which lets us write once and reuse it. As often as possible.

Naturally, as human, we find repetition to be boring. Repetition is where machine excels. It can do it over and over again without ever getting bored.

So, while it is possible, please use other methods. They are much better and much more secure.