Reputation: 399
PHP & cron: security issues
Whats the best way to ensure that only CRON executes PHP scripts, and not someone else who stumbled upon your php scripts..
I was thinking a Password Variable.... but is this a legal CRON command? :
/usr/local/bin/php -f /home/mysite/public_html/dir/script?password=12345
This way people cannot be able to execute the same commands when visiting the PHP script via HTTP (unless they know the password)
Thanks.
Upvotes: 7
Views: 6502
Answers (6)
Reputation: 624
Suppose if u don't want anybody to run the file via http then set the cron by using php command as you are doing and add htacess to cron folder to block http request to the folder by adding
deny from all to htacess
Suppose if u want the cron folder to be password protected then it can be done as mentioned in the URl
http://www.elated.com/articles/password-protecting-your-pages-with-htaccess/
Upvotes: 2
Reputation: 2186
Having a password could work, but :
- Writing a password in your crontab is a bad idea because other local users might be able to read it
- Your syntax won't work (it would try to run the script "script?password=12345". Parameters can't be named in shell script, so you would have to run "script.php 12345"
A valid solution would be to check in your PHP script, that the current environment looks like the one provided by cron when launching commands. Cron specific environment variables might help you ensure your script is being run fby cron and not a user.
Upvotes: 0
Reputation:
Or you can block execution by IP do something like this:
($_SERVER['REMOTE_ADDR'] == "127.0.0.1") or die('NO ACCESS');
Upvotes: 0
Reputation: 3621
You can send params to a PHP file via the command line. Just not like you are thinking.
http://www.php.net/manual/en/reserved.variables.argc.php
However, you also want to keep this out of the public html folder, like the others are saying. So you CAN'T surf to them. PHP run from command line doesn't need to be in any kind of webserver watch folder.
Upvotes: 0
Reputation: 29546
You should keep this file outside of public_html
/usr/local/bin/php -f /home/mysite/script
// is secure from public access
Upvotes: 14
Reputation: 14946
Don't put the script inside your public_html (or anywhere under your document root) directory if you only need to execute it from cron. It really is that simple.
Upvotes: 0
Related Questions
- Cron jobs and php scripts
- How to run cron in a secure way? (getting this warning: "Using a password on the command line interface can be insecure")
- Cron and php issue
- php cron job issue?
- How to securely use cronjobs
- CRON PHP access restrcitions
- Secure php script execution
- How to secure php file for cron tasks only?
- Cron job with php
- PHP and Cron jobs