So, say that server A has PHP installed, as does server B. Can server B include files from server A, and if so, is there any way to disable that (preferably without a die function in all of the scripts :p)?

I am just concerned about the security of my scripts, some of which contain MySQL passwords, FTP passwords, etc. I've been looking online, but I can't find anything.

If the server has allow_url_fopen set to on in the php.ini file, then you can get files from any browser accessible file on the other server. The only thing with this is that it will only use whatever is parsed and use that. In other words, if you have a php file like so:



<?php
$var = 'test';
?>


it will include a blank page; as compared to if you have this:



<?php
$var = 'test';
echo $var;
?>


it will display the word "test". You can turn this off in the php.ini file.

Hope this helps.

So other people cannot access functions/variables/classes/etc?

Exactly. :)

I know I am starting to get annoying now, but just to be sure:

You are saying that the include would essentially be the same as if the file was opened over on the internet? For example, if someone included this php page, they would get the same thing (in code) that we see? If so, that is a HUGE relief.

And are you certain? (No offense, I just have to hear it to calm my paranoia :p).

Also, while I am at it, if you wanted to include the actual PHP source code, would you need to do an fread() to output it?

Thanks,
--Jas