PHP & cron: security issues

Question

Whats the best way to ensure that only CRON executes PHP scripts, and not someone else who stumbled upon your php scripts..

I was thinking a Password Variable.... bu

Answer 1

Don't put the script inside your public_html (or anywhere under your document root) directory if you only need to execute it from cron. It really is that simple.

Answer 2

You can send params to a PHP file via the command line. Just not like you are thinking.

http://www.php.net/manual/en/reserved.variables.argc.php

However, you also want to keep this out of the public html folder, like the others are saying. So you CAN'T surf to them. PHP run from command line doesn't need to be in any kind of webserver watch folder.

Answer 3

Suppose if u don't want anybody to run the file via http then set the cron by using php command as you are doing and add htacess to cron folder to block http request to the folder by adding

deny from all to htacess

Suppose if u want the cron folder to be password protected then it can be done as mentioned in the URl

http://www.elated.com/articles/password-protecting-your-pages-with-htaccess/

Answer 4

Having a password could work, but :

• Writing a password in your crontab is a bad idea because other local users might be able to read it
• Your syntax won't work (it would try to run the script "script?password=12345". Parameters can't be named in shell script, so you would have to run "script.php 12345"

A valid solution would be to check in your PHP script, that the current environment looks like the one provided by cron when launching commands. Cron specific environment variables might help you ensure your script is being run fby cron and not a user.

Answer 5

You should keep this file outside of public_html

/usr/local/bin/php -f /home/mysite/script 
// is secure from public access

Answer 6

Or you can block execution by IP do something like this:

($_SERVER['REMOTE_ADDR'] == "127.0.0.1") or die('NO ACCESS');