Jump to content
Sign in to follow this  
westman

file security - stop access from URL

Recommended Posts

Hi all,
I have a file at the following directory...
www.mysite.com/folder/file.php
I have a cron job running file.php and all is well there.
How do I stop the file running the code if some one enters my file directory in the address bar?

Share this post


Link to post
Share on other sites

On our servers, I use this:

$php_command_line = strpos(php_sapi_name(), 'apache') === false && (strpos(php_sapi_name(), 'cgi') !== false || strpos(php_sapi_name(), 'cli') !== false);

Then I can check if $php_command_line is true to figure out if it is a command-line execution or if it's being executed through the web server.  The above line probably won't work for you unless your web server is configured like ours, but use php_sapi_name to see what it returns when you run the page in a browser versus on the command line.

You might be able to check for other differences also:

http://php.net/manual/en/features.commandline.differences.php

For example, obviously PHP wouldn't look for cookies on a command line, but I don't know if that means that $_COOKIE is always empty, or if it doesn't exist at all.

Share this post


Link to post
Share on other sites

Thank you for the insight.
I tried the code you gave but it did not work for me.
I have use...

if (php_sapi_name() != 'cli') {
  header('location:http://mysite.com');
  exit();
}

at the top of the page and it seems to do the job. When I type the file directory in the address bar the code in the file does not run and I am moved to the home page. At the same time using the code above, my cron job works fine.

If the code above is not the best way of stopping access from the URL please tell me.

Also, how do I grant access to another php file that are including a file that is blocking URL access using the code above?

 

 

Share this post


Link to post
Share on other sites

Anything running on the command line can include that file without a problem.

Share this post


Link to post
Share on other sites

I think I was miss understood.
My second question was meant to mean at run time - not using the command line.

If my index.php includes www.mysite.com/folder/file.php and file.php has the above code at the top, how do I grant access to index.php? 

Share this post


Link to post
Share on other sites

If you want to change the conditions, maybe you can use the information in $_SERVER to help you test what you want to test.

Share this post


Link to post
Share on other sites

If I have the following code in header.php and index.php is including header.php, will header.php be protected from URL access?

if(!isset($_SERVER['HTTP_REFERER'])){
    header('location:../index.php');
    exit();
}

 

Share this post


Link to post
Share on other sites

Hmm hello. I am not sure if this is helpful? Mostly because i dont use CRON jobs (yet). But what about using "defines"? Say in index.php you put in top of the file "define("derp")" and then in the file.php you are including, put:

if(defined("derp")) {RUN YOUR CODE IN HERE TO SHOW ON INDEX PAGE!}else{die() "or just send back to index.php with header..."}

I am using this, but i am not so sure this will work if you are using CRON jobs since defines dosent really do anything except checking if something is defined, and if so then execute.. it cannot differentiate from URL execution to CRON execution - so this should happen on all executions.

Again, not sure if this is helpful at all but i know for sure this is working for me - without the cron jobs.

however, if cron jobs are needed, then you should be able to do another thing that might work (i think).

You can still use the define method, however, only wrap the define method around the places you wish to show in index.php. So say you got 1 peace of code you wanna execute to index.php and you still have running CRON jobs, and you already know that the CRON job is just executing and not with the defined definer... then in the if statement, put all the things you would like to show on index.php and in the else part, only put the things you would like for the CRON to run. Because the index.php has the defined string, and CRON does not, it should work. In that way you can include the file BUT seperate the 2 actions...

again... i think. This was just a quick thinking solution, not sure it actually works, since i am still playing with CRON jobs myself.

Test it and come back if it does not work.

Good info before doing this, take a backup/copy of the original file if you have a lot of data - to make sure you still have the original - just in case :)

Share this post


Link to post
Share on other sites

If I have the following code in header.php and index.php is including header.php, will header.php be protected from URL access?

No, you're just checking for a referer header.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...