I am currently working on a new project which involves using CRON jobs.
The CRON script basically runs an SQL query, generates the data into a file, and send that file to another server via FTP.
The script is on a live website (www.website.com/sendOrders.php)
I don't see any security issues or threats, and I think it is highly unlikely that anyone will find the PHP script on the server. However I don't want the script to be executed by any outsiders.
Is there a way I can protect this script?
Thanks
Peter
You could move your "secret files" into a subfolder, then create a .htaccess file in there that prevents access to that file from everyone, except the server that is running the Cronjob.
Example:
DENY FROM ALL
ALLOW FROM 123.123.123.123
If you have shell access you might also put the scripts outside of the accessible folder and run directly via command line or cronjob like this: php script.php.
Why not just move the script outside the Web-root of the server and execute it from CLI? This was there is no chance of anyone else executing it.
If you must have it in the webroot (and there should be no reason for it), just make sure that the client for the request is the server you are running it on, and it should be more than enough.
This seems rather silly. Why have cron on machine A invoke a script via HTTP on machine B, when you could simply have machine B's native scheduling system (whatever OS it happens to be) do the job itself?
Then you could have the script tucked away somewhere that's not accessible via HTTP and render your security problem completley moot.
If the files are in a folder which shouldn't be locked down completely, wrap those lines in <Files whatever.php>...</Files>
<Files "cron.php">
Order deny,allow
Allow from name.of.this.machine
Allow from another.authorized.name.net
Allow from 127.0.0.1
Deny from all
</Files>
Here is my solution:
In cron.php check if some specific header is sent
cron.php
if (secure_cron_script() === false) {
echo 'Unauthorized';
return;
}
echo 'OK';
functions.php
function secure_cron_script () {
if (DEBUG)
return true;
$http_headers = getallheaders();
if (empty($http_headers['X-My-Cron-token'])
|| $http_headers['X-My-Cron-token'] !== SECURE_CRON_TOKEN) {
return false;
}
return true;
}
How to call cron with curl:
curl --header "X-My-Cron-token: 321123321sd" https://example.com/cron.php
No IP restriction. No GET/POST. If dev mode, skips restriction. You can put script wherever you want.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 该账号已被封号 的文章《Can I protect my CRON scripts from remote users?》','https://www.manongdao.com/article-838443.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}