file security - stop access from URL

[westman]

Hi all,
I have a file at the following directory...
www.mysite.com/folder/file.php
I have a cron job running file.php and all is well there.
How do I stop the file running the code if some one enters my file directory in the address bar?

[justsomeguy]

On our servers, I use this:

$php_command_line = strpos(php_sapi_name(), 'apache') === false && (strpos(php_sapi_name(), 'cgi') !== false || strpos(php_sapi_name(), 'cli') !== false);

Then I can check if $php_command_line is true to figure out if it is a command-line execution or if it's being executed through the web server.  The above line probably won't work for you unless your web server is configured like ours, but use php_sapi_name to see what it returns when you run the page in a browser versus on the command line.

You might be able to check for other differences also:

http://php.net/manual/en/features.commandline.differences.php

For example, obviously PHP wouldn't look for cookies on a command line, but I don't know if that means that $_COOKIE is always empty, or if it doesn't exist at all.

[westman]

Thank you for the insight.
I tried the code you gave but it did not work for me.
I have use...

if (php_sapi_name() != 'cli') {
  header('location:http://mysite.com');
  exit();
}

at the top of the page and it seems to do the job. When I type the file directory in the address bar the code in the file does not run and I am moved to the home page. At the same time using the code above, my cron job works fine.

If the code above is not the best way of stopping access from the URL please tell me.

Also, how do I grant access to another php file that are including a file that is blocking URL access using the code above?

 

 

[justsomeguy]

Anything running on the command line can include that file without a problem.

[westman]

I think I was miss understood.
My second question was meant to mean at run time - not using the command line.

If my index.php includes www.mysite.com/folder/file.php and file.php has the above code at the top, how do I grant access to index.php? 

[justsomeguy]

If you want to change the conditions, maybe you can use the information in $_SERVER to help you test what you want to test.

[westman]

If I have the following code in header.php and index.php is including header.php, will header.php be protected from URL access?

if(!isset($_SERVER['HTTP_REFERER'])){
    header('location:../index.php');
    exit();
}

 

[rootKID]

Hmm hello. I am not sure if this is helpful? Mostly because i dont use CRON jobs (yet). But what about using "defines"? Say in index.php you put in top of the file "define("derp")" and then in the file.php you are including, put:

if(defined("derp")) {RUN YOUR CODE IN HERE TO SHOW ON INDEX PAGE!}else{die() "or just send back to index.php with header..."}

I am using this, but i am not so sure this will work if you are using CRON jobs since defines dosent really do anything except checking if something is defined, and if so then execute.. it cannot differentiate from URL execution to CRON execution - so this should happen on all executions.

Again, not sure if this is helpful at all but i know for sure this is working for me - without the cron jobs.

however, if cron jobs are needed, then you should be able to do another thing that might work (i think).

You can still use the define method, however, only wrap the define method around the places you wish to show in index.php. So say you got 1 peace of code you wanna execute to index.php and you still have running CRON jobs, and you already know that the CRON job is just executing and not with the defined definer... then in the if statement, put all the things you would like to show on index.php and in the else part, only put the things you would like for the CRON to run. Because the index.php has the defined string, and CRON does not, it should work. In that way you can include the file BUT seperate the 2 actions...

again... i think. This was just a quick thinking solution, not sure it actually works, since i am still playing with CRON jobs myself.

Test it and come back if it does not work.

Good info before doing this, take a backup/copy of the original file if you have a lot of data - to make sure you still have the original - just in case

[justsomeguy]

If I have the following code in header.php and index.php is including header.php, will header.php be protected from URL access?

No, you're just checking for a referer header.