PHP & cron: security issues_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-01-29 05:38 出处：网络

Whats the best way to ensure that only CRON executes PHP scripts, and not someone else who stumbled upon your php scripts..

I was thinking a Pass开发者_运维知识库word Variable.... but is this a legal CRON command? :

/usr/local/bin/php -f /home/mysite/public_html/dir/script?password=12345

This way people cannot be able to execute the same commands when visiting the PHP script via HTTP (unless they know the password)

Thanks.

You should keep this file outside of public_html

/usr/local/bin/php -f /home/mysite/script 
// is secure from public access

Suppose if u don't want anybody to run the file via http then set the cron by using php command as you are doing and add htacess to cron folder to block http request to the folder by adding

deny from all to htacess

Suppose if u want the cron folder to be password protected then it can be done as mentioned in the URl

http://www.elated.com/articles/password-protecting-your-pages-with-htaccess/

Don't put the script inside your public_html (or anywhere under your document root) directory if you only need to execute it from cron. It really is that simple.

You can send params to a PHP file via the command line. Just not like you are thinking.

http://www.php.net/manual/en/reserved.variables.argc.php

However, you also want to keep this out of the public html folder, like the others are saying. So you CAN'T surf to them. PHP run from command line doesn't need to be in any kind of webserver watch folder.

Or you can block execution by IP do something like this:

($_SERVER['REMOTE_ADDR'] == "127.0.0.1") or die('NO ACCESS');

Having a password could work, but :

Writing a password in your crontab is a bad idea because other local users might be able to read it
Your syntax won't work (it would try to run the script "script?password=12345". Parameters can't be named in shell script, so you would have to run "script.php 12345"

A valid solution would be to check in your PHP script, that the current environment looks like the one provided by cron when launching commands. Cron specific environment variables might help you ensure your script is being run fby cron and not a user.