Jump to content

What prevents users from running your cron.php

clumsygenius

By clumsygenius
in PHP Coding Help

 Share

Recommended Posts

clumsygenius Newbie

clumsygenius

Posted
Posted

If I create a page called cron.php with scripts that I want to run once a day, and set up my server to run that once a day, what prevents people other than me or my server, from being able to just type in the link "http://MyWebsite.com/cron.php" and cause my cron page to run? isn't this a security issue?

 

 

clumsygenius Newbie

clumsygenius

Posted
  • Author
Posted

@ignace - by webroot do you mean the same folder where my index.php is? pages in that folder are accessible to anyone right?

 

keep in mind theres probably a simple obvious answer to my question because I'm a beginner. I'm assuming most web sites a have a cron page, and that page is located in the root, but if I type  in http://www.phpfreaks.com/cron.php I'm don't get anything. is there something special about the name "cron" or is it there a configuration file somewhere in my server that tells it to only allow access to cron.php from the local host?

xyph Advanced Member

xyph

Posted
Posted

Under is better terminology - think of it as a tree.

 

Your root is at the bottom, and branches grow up and out. People are too used to folder-tree views, where new folders go under their parents. Ideally, it would be in reverse.

 

Yes, put it in a directory where people visiting your website can't access. This will allow the cron to run only when you expect.

dadamssg87 Advanced Member

dadamssg87

Posted
Posted

you could use a $_GET['variable'] and use it as a kind of password...

 

http://www.yoursite.com/folder/cron.php?password=4sa3d5dgdlk252dfg35

 

 

in your cron.php file

<?php

$password = trim(strip_tags($_GET['password']));

if($password == "4sa3d5dgdlk252dfg35")
{
// run your cron
}else
{
header("location: http://www.yoursite.com");
}

 

clumsygenius Newbie

clumsygenius

Posted
  • Author
Posted

If I put my cron.php obove the folder where my index.php, how would I access it? would i do http://localhost/../cron.php?

I guess I should clarify: I'm doing this on windows 7, I wave an apache server installed. I can only run .php files through a browser by typing in localhost/file.php

Im using task scheduler to execute internet explorer and pass in the url to a cron page as a paramete. I dont know what the URL would be for a page that is above my webroot??

 

@xyph: I would bet that I'm not acrtually running a cron and doing it the rookie way since I don't know much about it. please enlighten me! what is the REAL way of doing it as apose to emulating it??? can I do it on a windows machine?

ignace Advanced Member

ignace

Posted
Posted

I actually don't think there is a significant security risk if the script is designed properly. I found one web app using an image tag in index.php to run cron.php. If cron.php does not find a job to run, nothing further happens.

 

Checking on every request whether their is a job puts more strain on your server. Not ideal if you have around 20k to 30k users per day.

markjoe Member

markjoe

Posted
Posted

@ignace, it was actually a 2 step process. every request it would check if it was at a cron interval, if so, it would then check for a pending job. It actually isn't much work, 2 queries when the app runs anywhere from 10-30 each page. (bloated forum app)

And I only said I don't think it's a significant security risk.

Either way, it's not my favorite solution, but if the small amount of load is not an issue it could be implemented very easily so could be a viable solution.

 

Ultimately the correct answer is to just put the cron script OUTSIDE your web directory, like has been discussed already, in between arguments of semantics.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.