Home » Php » PHP & cron: security issues

PHP & cron: security issues

Posted by: admin July 12, 2020 Leave a comment

Questions:

Whats the best way to ensure that only CRON executes PHP scripts, and not someone else who stumbled upon your php scripts..

I was thinking a Password Variable…. but is this a legal CRON command? :

/usr/local/bin/php -f /home/mysite/public_html/dir/script?password=12345

This way people cannot be able to execute the same commands when visiting the PHP script via HTTP (unless they know the password)

Thanks.

How to&Answers:

You should keep this file outside of public_html

/usr/local/bin/php -f /home/mysite/script 
// is secure from public access

Answer:

Suppose if u don’t want anybody to run the file via http then set the cron by using php command as you are doing and add htacess to cron folder to block http request to the folder
by adding

deny from all to htacess

Suppose if u want the cron folder to be password protected then it can be done as mentioned in the URl

http://www.elated.com/articles/password-protecting-your-pages-with-htaccess/

Answer:

Don’t put the script inside your public_html (or anywhere under your document root) directory if you only need to execute it from cron. It really is that simple.

Answer:

You can send params to a PHP file via the command line. Just not like you are thinking.

http://www.php.net/manual/en/reserved.variables.argc.php

However, you also want to keep this out of the public html folder, like the others are saying. So you CAN’T surf to them. PHP run from command line doesn’t need to be in any kind of webserver watch folder.

Answer:

Or you can block execution by IP
do something like this:

($_SERVER[‘REMOTE_ADDR’] == “127.0.0.1”) or die(‘NO ACCESS’);

Answer:

Having a password could work, but :

  • Writing a password in your crontab is a bad idea because other local users might be able to read it
  • Your syntax won’t work (it would try to run the script “script?password=12345”. Parameters can’t be named in shell script, so you would have to run “script.php 12345”

A valid solution would be to check in your PHP script, that the current environment looks like the one provided by cron when launching commands. Cron specific environment variables might help you ensure your script is being run fby cron and not a user.