0

Hey folks, the way i understand it is that cron can be used to execute php code by launching the php interpreter and passing it the path to the script to be executed.

The code I would like to schedule is in a codeigniter controller/model. So basically the controller contains 3 functions that perform some db stats. Each function will have its own schedule.

How can I secure that controller so that the code doesn't get executed maliciously? do I pass some creds to the controller as part of the cron job? or do i take that code an set it up as a separate ci app?

Any thoughts on the matter would be appreciated.

thanks

Rob
  • 1,235
  • 2
  • 19
  • 44
djeetee
  • 1,799
  • 7
  • 24
  • 36
  • You can find more answers here: http://stackoverflow.com/questions/6034237/send-a-daily-email-notification-to-users-in-php – jeroen May 18 '11 at 15:37

3 Answers3

1

You shouldn't create a controller for doing a script. You should just create a normal PHP script, and launch it via command line/cron.

The script shouldn't be in your public web directory, it should be elsewhere (in a script folder for example), not accessible by the public (a script shouldn't be a web page).

Because if you have a script as a controller, that means you lanch the script via the HTTP server, which isn't secure, and in your cron task you'd have to use something like wget "localhost/mycontroller/myaction" (less clean).

Matthieu Napoli
  • 48,448
  • 45
  • 173
  • 261
  • the problem you are highlighting is the reason for my question and my idea to pass creds like what @colum suggested. As i mentioned earlier, the reason the code is in a controller was to make life easy and use the CI classes. – djeetee May 18 '11 at 16:01
  • @djeetee I understand my last paragraph is a bit redundant with your question... I emphasise though that this solution, even though requiring some more time, is worth it. – Matthieu Napoli May 18 '11 at 16:05
0

You could always move the file outside the web directory, so you can only access it from the server side. Another way is to change the permissions on the file, so your server cant read the file, and execute the cron under root (not recommended).

As for credis, you can make the script only run if you pass the correct get variable. For example, the script only runs when you call:

http://localhost/script.php?chjfbbhjscu4iu793673vhjdvhjdbjvbdh=bugy34gruhw3d78gyfhjbryufgbcgherbciube
Colum
  • 3,844
  • 1
  • 22
  • 26
  • The GET variable is a bad idea, you shouldn't rely on such a low security to prevent anyone to launch your script. Actually your script shouldn't be accessible as a web page at all, it's a script. – Matthieu Napoli May 18 '11 at 15:41
  • I was just giving more than one option, it is the worst out of all of them, but sometimes it is harder to move the script. – Colum May 18 '11 at 15:43
0

I don't think the querystring idea is that bad actually, especially if this URL is being passed along your own network behind a firewall then there's no real cause for concern.

Another security feature you could implement is making sure the "client's" request IP address is equal to the server's IP address, hence the script can only proceed if it is being called from the server that executes the controller action.

MikeMurko
  • 2,214
  • 1
  • 27
  • 56