Understanding why proxy don't deny access with file_get_contents in PHP

Question

I have a proxy with a lot of restrictions, like: can't access youtube, facebook and a lot of anothers websites, these are company policies.

But testing a code in PHP i discovered that i can access any site using this:

<!doctype html>  
<html lang="en">  
    <head>  
        <meta charset="utf-8">  
        <title>Web Proxy</title> 
    </head> 
    <body> 
        <div style="text-align:center;"> 
            <form method="GET" action="<?=$_SERVER['REQUEST_URI']?>"> 
                <input type="url" name="url" placeholder="Type URL of site"/><input type="submit" Value="Load url" /> 
            </form> 
        </div> 
        <hr/> 
        <?php 
            $url = $_GET['url']; 
            if (!empty($url)) 
            { 
                // check we're only getting files served by a website (i.e. not ../../../passwords.txt from this server etc.)  
                if(preg_match('/^https?:/i', $url))   
                {  
                    $contents = file_get_contents($url);  
                    if($contents === FALSE)  
                    {  
                        echo "<h2>Sorry <pre>{$url}</pre> cannot be read</h2>\n";  
                    }  
                    //display contents of url  
                    else   
                    { ?>  
                        <?=$contents?>  
                        <script>for (var i=0; i<document.links.length; i++) document.links[i].href="<?=$_SERVER['PHP_SELF']?>?url="+document.links[i].href;</script>  
                    <?php }  
                }  
                else  
                {  
                    echo "<h2><pre>$url</pre> is an invalid URL</h2>\n";  
                }  
            }  
        ?>  
    </body>  
</html>

I just wanna understand how this code can process any site ignoring the proxy policies ? I can access everything without restrictions. Someone can explain me the concept "behind the scenes" ?

where are you running this code? just because a proxy's been enforced on your browser doesn't mean it can enforced on something that ISN'T a browser, or isn't in a place where the proxy requirements are applied. — Marc B, Dec 19 '13 at 19:00
Well, i'm running this code in my browser (google chrome), the same browser that i use to test another sites (youtube,facebook...). — Shelly, Dec 19 '13 at 19:04
no, you're using chrome to access a web page on a web server. the php code is running on that server. — Marc B, Dec 19 '13 at 19:18

SeventotheSeven · Accepted Answer · 2013-12-19T19:29:55.060

PHP is a server-side scripting language.

So, unlike HTML/CSS/JS which get executed by your browser, PHP will be interpreted by the server first and then only the results after the script has run will be sent to your computer/browser.

That means the file_get_contents will be executing on the server that your PHP script is on. If the server that that PHP file is hosted on is not also behind your company proxies then the proxies will not effect it.

Effectively, this means that the server will first download the webpage you are trying to access and then put the results into the script's page. Your browser/computer will never actually access the $url page, only the server will.

Example: Youtube.com

Normally: Proxy sees your computer/browser try to access Youtube.com and does not let you access
Loaded through PHP on separate server: Server hosting script somewhere outside of company downloads youtube.com, server sends you the data via script's page. Your browser/computer never accesses youtube.com only external server does, proxy does not see youtube.com

edit: So if an HTML frame/iframe were used instead of PHP then the proxy would still deny access as HTML is not a server-side scripting language. HTML tells your browser what to do, PHP tells the server what to do before letting your computer/browser access it. When HTML is used to load the page the PROXY sees the load URL request, when PHP is used the PROXY sees only the PHP page URL

So, why when i try to load the page using: the proxy deny the acccess ? Just because of URL ? If i encrypt URL with "http://ebutuoy.com" (equals to youtube.com) the proxy will not deny the access ? The key-point is that PROXY just can see the URL ? — Shelly, Dec 19 '13 at 19:20
is an HTML tag. HTML is not a server-side scripting language. HTML gets executed by your own computer/browser. So when your computer sees iframe for Youtube.com it's your own computer that still has to download youtube, not the server, the server will only interpret server-side scripts before sending you the page. You can think of the server as a separate computer somewhere else in the world not at your company. — SeventotheSeven, Dec 19 '13 at 19:21
I think that i got it: Using file_get_contents all content of youtube.com is loaded inside "index.html" (just a example) before send to client computer. So when user will access the "index.html" in some domain, like: "webproxy.com/index.html" the content of this site will be from "youtube.com" but already processed from server-side. In this way the company proxy will never know the inside "webproxy.com" have youtube.com content, right ? But proxy don't deny specific words inside content ? Like "game, porn and others..." — Shelly, Dec 19 '13 at 19:34

Understanding why proxy don't deny access with file_get_contents in PHP

1 Answers1