Geek Answers Handbook

PHP & cron: security issues

What is the best way to ensure that only CRON is executing PHP scripts and not someone else who has stumbled upon your php scripts.

I thought about the Variable password .... but is this a legitimate CRON command?

/usr/local/bin/php -f /home/mysite/public_html/dir/script?password=12345

Thus, people cannot execute the same commands when visiting a PHP script via HTTP (if they do not know the password)

Thanks.

+6
security php cron
source share
6 answers

You must save this file outside public_html

 /usr/local/bin/php -f /home/mysite/script // is secure from public access
+13
source share

Suppose if you do not want anyone to run the file via http, then install cron using the php command, as you do, and add htacess to the cron folder to block the HTTP request to the folder by adding

deny everyone htacess

Suppose if you want the cron folder to be password protected, then this can be done as indicated in URl

http://www.elated.com/articles/password-protecting-your-pages-with-htaccess/

+1
source share

Do not put the script in your public_html directory (or anywhere in your document) if you need to execute it only from cron. It's really that simple.

0
source share

You can send params to a PHP file via the command line. Just not the way you think.

http://www.php.net/manual/en/reserved.variables.argc.php

However, you also want to save this in the public html folder, as others say. Therefore, you CANNOT surf. PHP, run from the command line, does not have to be located in any web server view folder.

0
source share

Or you can block execution by IP address do something like this:

($ _ SERVER ['REMOTE_ADDR'] == "127.0.0.1") or die ('NO ACCESS');

0
source share

Having a password may work, but:

  • Writing a password in your crontab is a bad idea, because other local users can read it.
  • Your syntax will not work (it will try to run the script "script? Password = 12345". The parameters cannot be named in the shell script, so you will need to run ".php 12345"

A valid solution would be to check your PHP script that the current environment is similar to the one provided by cron when running the commands. Cron specific environment variables can help you ensure that your script is run by fby cron, and not by the user.

0
source share

More articles:


All Articles