CODEWITHSUNDEEP
phpcron
frosty
frosty

Reputation: 2851

Block users from accessing cron job script

I have a PHP script that runs every hour (cron job) to clean up/delete views in a temp views table in my database.

Currently, the URL is:

http://example.com/api/clean.php

However, this is accessible by any user, so the script can run due to someone accessing the link and it's easy to guess.

If I made the URL some random string:

http://example.com/api/090b235e9eb8f197f2dd927937222c5703.php

would anyone be able to "discover" it to run the script? Is there a better way to block people from accessing the script?

Upvotes: 1

Views: 268

Answers (2)

Alexei - check Codidact
Alexei - check Codidact

Reputation: 23078

I had a similar problem with a PHP application hosted externally. The solution was to password protect the folder containing all administrative scripts (including cron job related scripts), so no public access for folder content.

My solution was for Linux and involved configuration through .htaccess file:

AuthName "Admin" 
AuthType Basic
AuthUserFile /home/conf/httpd/htpasswd/...
Require valid-user

The password file and .htaccess file are automatically generated by the hosting company through their panel, but I can access and change .htaccess file.

Bypassing directory password protection is tackled here:

http://user:[email protected]/api/clean.php

Upvotes: 0

user2417483
user2417483

Reputation:

Most databases have functions to do this type of thing. In mySQL you can set an event

DELIMITER $$

-- SET GLOBAL event_scheduler = ON$$     -- required for event to execute but not create    

CREATE  /*[DEFINER = { user | CURRENT_USER }]*/ EVENT `dbName`.`eventName`

ON SCHEDULE
     /* uncomment the example below you want to use */

    -- scheduleexample 1: run once

       --  AT 'YYYY-MM-DD HH:MM.SS'/CURRENT_TIMESTAMP { + INTERVAL 1 [HOUR|MONTH|WEEK|DAY|MINUTE|...] }

    -- scheduleexample 2: run at intervals forever after creation

       -- EVERY 1 [HOUR|MONTH|WEEK|DAY|MINUTE|...]

    -- scheduleexample 3: specified start time, end time and interval for execution
       /*EVERY 1  [HOUR|MONTH|WEEK|DAY|MINUTE|...]

       STARTS CURRENT_TIMESTAMP/'YYYY-MM-DD HH:MM.SS' { + INTERVAL 1[HOUR|MONTH|WEEK|DAY|MINUTE|...] }

       ENDS CURRENT_TIMESTAMP/'YYYY-MM-DD HH:MM.SS' { + INTERVAL 1 [HOUR|MONTH|WEEK|DAY|MINUTE|...] } */

/*[ON COMPLETION [NOT] PRESERVE]
[ENABLE | DISABLE]
[COMMENT 'comment']*/

DO
    BEGIN
        (sql_statements)
    END$$

DELIMITER ;

http://dev.mysql.com/doc/refman/5.7/en/create-event.html

Upvotes: 1

Related Questions