What prevents users from running your cron.php

[clumsygenius]

If I create a page called cron.php with scripts that I want to run once a day, and set up my server to run that once a day, what prevents people other than me or my server, from being able to just type in the link "http://MyWebsite.com/cron.php" and cause my cron page to run? isn't this a security issue?

 

 

[ignace]

Why not put cron.php under your webroot?

[markjoe]

maybe make it read in something from STDIN? If some value doesn't exist in $argv[1], then exit.

I've never dealt with this problem, just shooting from the hip.

[clumsygenius]

@ignace - by webroot do you mean the same folder where my index.php is? pages in that folder are accessible to anyone right?

 

keep in mind theres probably a simple obvious answer to my question because I'm a beginner. I'm assuming most web sites a have a cron page, and that page is located in the root, but if I type  in http://www.phpfreaks.com/cron.php I'm don't get anything. is there something special about the name "cron" or is it there a configuration file somewhere in my server that tells it to only allow access to cron.php from the local host?

[mikesta707]

I believe he is referring to the directory above the main directory (IE the directory that your public_html or www folder is in.)

[ignace]

@mikesta that's exactly what I meant.

 

Why not put cron.php under above your webroot?

 

I mistyped.

[markjoe]

I actually don't think there is a significant security risk if the script is designed properly. I found one web app using an image tag in index.php to run cron.php. If cron.php does not find a job to run, nothing further happens.

[xyph]

Under is better terminology - think of it as a tree.

 

Your root is at the bottom, and branches grow up and out. People are too used to folder-tree views, where new folders go under their parents. Ideally, it would be in reverse.

 

Yes, put it in a directory where people visiting your website can't access. This will allow the cron to run only when you expect.

[dadamssg87]

you could use a $_GET['variable'] and use it as a kind of password...

 

http://www.yoursite.com/folder/cron.php?password=4sa3d5dgdlk252dfg35

 

 

in your cron.php file

<?php

$password = trim(strip_tags($_GET['password']));

if($password == "4sa3d5dgdlk252dfg35")
{
// run your cron
}else
{
header("location: http://www.yoursite.com");
}

 

[xyph]

If you're actually running a CRON, and not just emulating what a CRON does, you cannot have a query string (ie ?foo=bar)

[clumsygenius]

If I put my cron.php obove the folder where my index.php, how would I access it? would i do http://localhost/../cron.php?

I guess I should clarify: I'm doing this on windows 7, I wave an apache server installed. I can only run .php files through a browser by typing in localhost/file.php

Im using task scheduler to execute internet explorer and pass in the url to a cron page as a paramete. I dont know what the URL would be for a page that is above my webroot??

 

@xyph: I would bet that I'm not acrtually running a cron and doing it the rookie way since I don't know much about it. please enlighten me! what is the REAL way of doing it as apose to emulating it??? can I do it on a windows machine?

[ignace]

I actually don't think there is a significant security risk if the script is designed properly. I found one web app using an image tag in index.php to run cron.php. If cron.php does not find a job to run, nothing further happens.

 

Checking on every request whether their is a job puts more strain on your server. Not ideal if you have around 20k to 30k users per day.

[markjoe]

@ignace, it was actually a 2 step process. every request it would check if it was at a cron interval, if so, it would then check for a pending job. It actually isn't much work, 2 queries when the app runs anywhere from 10-30 each page. (bloated forum app)

And I only said I don't think it's a significant security risk.

Either way, it's not my favorite solution, but if the small amount of load is not an issue it could be implemented very easily so could be a viable solution.

 

Ultimately the correct answer is to just put the cron script OUTSIDE your web directory, like has been discussed already, in between arguments of semantics.

[xyph]

http://stackoverflow.com/questions/295386/how-to-run-a-php-file-in-a-scheduled-task

 

Your top answer.

[clumsygenius]

THANK YOU XYPH!!!!

 

yes my mistake was that I was trying to run it through the browser. I didn't know I could run php.exe directly and pass it the file!

thanks again!