Jump to content

file security - stop access from URL


westman
 Share

Recommended Posts

On our servers, I use this:

$php_command_line = strpos(php_sapi_name(), 'apache') === false && (strpos(php_sapi_name(), 'cgi') !== false || strpos(php_sapi_name(), 'cli') !== false);

Then I can check if $php_command_line is true to figure out if it is a command-line execution or if it's being executed through the web server.  The above line probably won't work for you unless your web server is configured like ours, but use php_sapi_name to see what it returns when you run the page in a browser versus on the command line.

You might be able to check for other differences also:

http://php.net/manual/en/features.commandline.differences.php

For example, obviously PHP wouldn't look for cookies on a command line, but I don't know if that means that $_COOKIE is always empty, or if it doesn't exist at all.

Link to comment
Share on other sites

Thank you for the insight.
I tried the code you gave but it did not work for me.
I have use...

if (php_sapi_name() != 'cli') {
  header('location:http://mysite.com');
  exit();
}

at the top of the page and it seems to do the job. When I type the file directory in the address bar the code in the file does not run and I am moved to the home page. At the same time using the code above, my cron job works fine.

If the code above is not the best way of stopping access from the URL please tell me.

Also, how do I grant access to another php file that are including a file that is blocking URL access using the code above?

 

 

Link to comment
Share on other sites

Hmm hello. I am not sure if this is helpful? Mostly because i dont use CRON jobs (yet). But what about using "defines"? Say in index.php you put in top of the file "define("derp")" and then in the file.php you are including, put:

if(defined("derp")) {RUN YOUR CODE IN HERE TO SHOW ON INDEX PAGE!}else{die() "or just send back to index.php with header..."}

I am using this, but i am not so sure this will work if you are using CRON jobs since defines dosent really do anything except checking if something is defined, and if so then execute.. it cannot differentiate from URL execution to CRON execution - so this should happen on all executions.

Again, not sure if this is helpful at all but i know for sure this is working for me - without the cron jobs.

however, if cron jobs are needed, then you should be able to do another thing that might work (i think).

You can still use the define method, however, only wrap the define method around the places you wish to show in index.php. So say you got 1 peace of code you wanna execute to index.php and you still have running CRON jobs, and you already know that the CRON job is just executing and not with the defined definer... then in the if statement, put all the things you would like to show on index.php and in the else part, only put the things you would like for the CRON to run. Because the index.php has the defined string, and CRON does not, it should work. In that way you can include the file BUT seperate the 2 actions...

again... i think. This was just a quick thinking solution, not sure it actually works, since i am still playing with CRON jobs myself.

Test it and come back if it does not work.

Good info before doing this, take a backup/copy of the original file if you have a lot of data - to make sure you still have the original - just in case :)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...