2

I have a PHP script and this shall only run if the server itself calls it. Like this: form().submit runs an AJAX request to POST the form data. I don't want to develop a hash decode and encode system to proof if the request is allowed or not.

Is there an easy possibility to check if the "server runs the script" or if the client wants to run the script? If not, I may use .htpasswd

zerophreak
  • 294
  • 1
  • 4
  • 11
  • 2
    Place it outside of the docroot and it will effectively be unavailable to the user. Only the server will be able to run it. – mingos Apr 29 '14 at 08:37
  • If you know the IP adress of your server, you may compare it this the request IP? – Gwenc37 Apr 29 '14 at 08:38
  • possible duplicate: http://stackoverflow.com/questions/343557/how-to-distinguish-command-line-and-web-server-invocation – Antonio Ragagnin Apr 29 '14 at 08:38

4 Answers4

2

You can do that with following steps;

1) Put your php script outside of your web document root like /usr/local/phpscripts/

2) Run this script from your code like;

$output = shell_exec('php /usr/local/phpscripts/your_script.php');

By doing this, only your server can call your script. Web user cannot access this php script to execute

Hüseyin BABAL
  • 15,400
  • 4
  • 51
  • 73
2

If you only want your script to be executed when you include() it then you can set a variable in the including script and check it in this one.

script1.php :

<?php
$my_call = true;
include('script2.php');

script2.php : (the script you don't want to be called from browser)

<?php
if(!$my_call){die('Access Denied.');}
//your code here...

Otherwise if you want to only be able to use a script from command line :

add this line at the very beginning of your script :

<?php

if(php_sapi_name() !== 'cli'){die('Access denied.');}

// your code next

For the comment below : 

[root@xxxxx html]# cat test.php
<?php

echo php_sapi_name();
[root@xxxxx html]# php test.php
cli

Now calling this same script from browser :

apache2handler
Loïc
  • 11,804
  • 1
  • 31
  • 49
  • No, this forbid access to the script for anything else than command line access. I flagged your comment as useless, hopefully you'll delete it by yourself. – Loïc Apr 29 '14 at 08:56
  • OK, `!==`, which I read as `===`, my bad. Still, the answer is not what the OP asked for. This in turn won't let the CGI run the script. Restricting it to any given SAPI name is not recommended since you might as well get "apache2filter" as your SAPI name under Apache, and this will definitely not be runnable by Nginx or even the `php-cli` SAPI (PHP's inbuilt webserver). – mingos Apr 29 '14 at 09:01
  • 1
    Wasn't sure what the OP wanted. I've edited it now hopefully it covers everything. :) – Loïc Apr 29 '14 at 09:13
1

If you're using apache, you can place your scripts in a folder and add an htaccess file (.htaccess) with the following content

deny from all

In that way when the user tries to access the php script directly, they will only get a forbidden page. You can only access files here via include/require methods of the php script being used within the server.

Jereme
  • 621
  • 6
  • 14
0

The scripts available to the user agent must be inside the docroot, otherwise they are completely unavailable. Assuming this is your project's structure:

public_html/
 |-- index.php
src/
 |-- somefile.php

and assuming your document root is set to the public_html directory (via the vhost configuration), the files inside src cannot be accessed by the user agent. Therefore only the server may run them by requiring them in other scripts.

mingos
  • 23,778
  • 12
  • 70
  • 107