1

I have a PHP script that runs every hour (cron job) to clean up/delete views in a temp views table in my database.

Currently, the URL is:

http://example.com/api/clean.php

However, this is accessible by any user, so the script can run due to someone accessing the link and it's easy to guess.

If I made the URL some random string:

http://example.com/api/090b235e9eb8f197f2dd927937222c5703.php

would anyone be able to "discover" it to run the script? Is there a better way to block people from accessing the script?

frosty
  • 2,779
  • 6
  • 34
  • 63
  • Why a web-server is involved in this process at all? About complicated URLs, yes - it is not secured. If you have to use a web-server, make it so at least, that your php script will be expecting a $_POST parameter or handshaking. – Axalix Mar 06 '16 at 06:21
  • @Axalix what do you mean? – frosty Mar 06 '16 at 06:22
  • Can you call this script from a console: `php /web/my-site/application/api/clean.php`? – Axalix Mar 06 '16 at 06:25
  • Put script in directory outside Web root –  Mar 06 '16 at 07:09

2 Answers2

1

Most databases have functions to do this type of thing. In mySQL you can set an event

DELIMITER $$

-- SET GLOBAL event_scheduler = ON$$     -- required for event to execute but not create    

CREATE  /*[DEFINER = { user | CURRENT_USER }]*/ EVENT `dbName`.`eventName`

ON SCHEDULE
     /* uncomment the example below you want to use */

    -- scheduleexample 1: run once

       --  AT 'YYYY-MM-DD HH:MM.SS'/CURRENT_TIMESTAMP { + INTERVAL 1 [HOUR|MONTH|WEEK|DAY|MINUTE|...] }

    -- scheduleexample 2: run at intervals forever after creation

       -- EVERY 1 [HOUR|MONTH|WEEK|DAY|MINUTE|...]

    -- scheduleexample 3: specified start time, end time and interval for execution
       /*EVERY 1  [HOUR|MONTH|WEEK|DAY|MINUTE|...]

       STARTS CURRENT_TIMESTAMP/'YYYY-MM-DD HH:MM.SS' { + INTERVAL 1[HOUR|MONTH|WEEK|DAY|MINUTE|...] }

       ENDS CURRENT_TIMESTAMP/'YYYY-MM-DD HH:MM.SS' { + INTERVAL 1 [HOUR|MONTH|WEEK|DAY|MINUTE|...] } */

/*[ON COMPLETION [NOT] PRESERVE]
[ENABLE | DISABLE]
[COMMENT 'comment']*/

DO
    BEGIN
        (sql_statements)
    END$$

DELIMITER ;

http://dev.mysql.com/doc/refman/5.7/en/create-event.html

0

I had a similar problem with a PHP application hosted externally. The solution was to password protect the folder containing all administrative scripts (including cron job related scripts), so no public access for folder content.

My solution was for Linux and involved configuration through .htaccess file:

AuthName "Admin" 
AuthType Basic
AuthUserFile /home/conf/httpd/htpasswd/...
Require valid-user

The password file and .htaccess file are automatically generated by the hosting company through their panel, but I can access and change .htaccess file.

Bypassing directory password protection is tackled here:

http://user:pass@example.com/api/clean.php
Community
  • 1
  • 1
Alexei - check Codidact
  • 22,016
  • 16
  • 145
  • 164