I am writing a series of functions to interact with third-party APIs that will be included in other PHP scripts. Most of these third-party APIs use token-based authentication, so I would like to store these tokens within the function, but I’m wondering what the best practices are for preventing exploitation of those functions in the included file.
For example, in a script called ~/public_html/includes/functions.php I would define some functions that call a public API using cURL, and then return some sort of response from the API. Then, within my app, I would include ~/public_html/includes/functions.php and call the functions to interact with the third-party APIs.
My concern is what if someone else includes http://www.example.com/includes/functions.php in their script, and starts calling my functions to make API calls using my credentials? Should functions.php live somewhere else, perhaps outside of the ~/public_html dir? Or perhaps I can use UNIX permissions to prevent anyone but my own apps to include the functions.php script?
My concern is what if someone else includes http://www.example.com/includes/functions.php in their script, and starts calling my functions to make API calls using my credentials? Should functions.php live somewhere else, perhaps outside of the ~/public_html dir? Or perhaps I can use UNIX permissions to prevent anyone but my own apps to include the functions.php script?
You are mixing up a lot of things here. And the long story short: You should not worry. I gave a full explanation on how include works with URLs in this answer. Below is a summary for your purposes.
Specifically, while one could use include to include full URLs like include('http://www.google.com/'); the only thing you get from that include is the final rendered content of the page. 100% none of the functions, classes, variables, strings, constants or anything contained in the internals of that PHP code. Or as very clearly explained in the PHP documentation you are linking to; emphasis mine:
If "URL include wrappers" are enabled in PHP, you can specify the file to be included using a URL (via HTTP or other supported wrapper - see Supported Protocols and Wrappers for a list of protocols) instead of a local pathname. If the target server interprets the target file as PHP code, variables may be passed to the included file using a URL request string as used with HTTP GET. This is not strictly speaking the same thing as including the file and having it inherit the parent file's variable scope; the script is actually being run on the remote server and the result is then being included into the local script.
So you cannot include credentials remotely—or any PHP internals—in the way you describe. The only way that could happen is if ~/public_html/includes/functions.php were included locally. That is when PHP internals are exposed.
Or the better way to understand this: When you request a PHP file via http:// or https:// it is parsed & processed via the PHP module in Apache. So it only returns the final product—if any—post often conveyed by an echo statement.
But when you include a file via the local file system it is not parsed by the PHP module in Apache. It is simply raw code. And that is how you can use the functions, classes, variables, strings, constants and anything contained in the internals of that PHP code.