I have an advertisor who has requested I use php code to include their ad tag, this is the code they have given me; <?php $SERVER_NAME=$_SERVER['SERVER_NAME']; $urlx=$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']; $ref=str_replace(" ",null,$HTTP_USER_AGENT); $URL="http://www.etc.com/etc/etc.php?urlx=".$urlx."&site=".$SERVER_NAME."&ref=".$ref; $file = @fopen("$URL", "r"); $r = ""; do { $data = @fread($file, 8192); if (strlen($data) == 0) { break; } $r .= $data; } while (true); fclose ($file); echo $r; ?> Does this look malicous in any way? Can it be used to run remote commands, upload files or download files? I am a bit paranoid, but only because I am a bit clueless ;> Any help is appreciated. thanks
All it does is grab whatever's on: hppp://www.etc.com/etc/etc.php?urlx=YOURURLHERE&site=YOURSERVERNAMEHERE&ref=THEPERSON'SUSERAGENT And display it on your website. It cannot execute any php code or anything server-side.
This code looks not safe for me. This script cannot hurt your server, but this script can load anything into your visitor's browser: an arbitrary html or javascript code (for example javascript rotating hidden adsense ads, or making AJAX requests somewere, or making javascript redirect etc.). So check the code it outputs, it is not clear without real example.
All possible, in fact the whole point of the code is to inject html into your pages as that is how the ads will be displayed. You have to decide whether you trust the advertiser, in theory google could probably redirect your visitors if they modified the javascript file they use to serve the adsense adverts but we trust them not to do it. As wmtips suggests I would look at the code it includes in your files to make sure nothing malicious is going on but they can change it at any time they choose so you have to trust them not to do it.