如何确保我的PHP脚本仅作为计划作业而不是从浏览器运行?
[英]How can I ensure my PHP script is only run as a schedule job and not when run from a browser?
问题描述
Each time when I am opening eg retrieveContent.php the script is executed and insert records into the database. 
每次我打开例如retrieveContent.php脚本时,都会执行该脚本并将记录插入数据库中。 Since I use this script in a schedule job it should not be a problem. 由于我在计划作业中使用了此脚本,因此应该不会有问题。
However I noticed that a user found the script path and did opened the retrieveContent.php file which was executed and inserted a record in the database. 但是,我注意到一个用户找到了脚本路径,并确实打开了执行的retrieveContent.php文件,并在数据库中插入了一条记录。 How can I prevent browser transactions by a user using PHP? 如何防止用户使用PHP进行浏览器交易? Thanks in advance! 提前致谢!
4 个解决方案
解决方案1
2 已采纳 2014-04-01 20:45:12
Look at the php_sapi_name() function. 查看php_sapi_name()函数。 It will tell you if you're running in CLI (command-line interface). 它会告诉您是否在CLI(命令行界面)中运行。
http://php.net/manual/en/function.php-sapi-name.php http://php.net/manual/zh/function.php-sapi-name.php
You can also move the PHP script to somewhere outside of your web server's document tree. 您还可以将PHP脚本移动到Web服务器文档树之外的某个位置。
解决方案2
1 2014-04-01 20:43:31
You have lots of options. 您有很多选择。 I'll mention just three: 我只提到三个:
Append a query parameter, that only you know and that is hard-coded in the script, eg
retrieveContent.php?key=secret.附加一个只有您自己知道并且在脚本中进行了硬编码的查询参数,例如retrieveContent.php?key=secret。 (Or in CLI mode, a secret command line argument.) Check this parameter in your script and only perform the actions if it matches the hard-coded value.(或在CLI模式下,为秘密的命令行参数。)在脚本中检查此参数,并且仅在与硬编码值匹配时才执行操作。 If your scheduled job is performed on the same server where the script resides, move the script to a separate directory protected by a
.htaccessfile with the following content:如果计划的作业是在脚本所在的同一台服务器上执行的,请将脚本移动到受以下内容保护的.htaccess文件保护的单独目录中:Deny from all Allow from localhostIf your scheduled job fetches the script via HTTP, figure out, which user agent is sent in
$_SERVER['HTTP_USER_AGENT'], and only perform the actions if the script is accessed by that user agent.如果您的计划作业通过HTTP获取脚本,请找出哪个用户代理在$_SERVER['HTTP_USER_AGENT'],并且仅在该用户代理访问了脚本的情况下执行操作。 But this is less safe, since the user can fake the user agent (if he manages to find out the correct one).但这不太安全,因为用户可以伪造用户代理(如果他设法找到正确的代理)。
解决方案3
0 2014-04-01 20:47:50
Pass a secret argument to your script when called via CLI and confirm it on PHP side. 通过CLI调用时,将秘密参数传递给脚本,并在PHP端进行确认。 For example: 例如:
-- terminal --
php script.php secret-argument
-- script.php --
<?php
if(!isset($argv[1]) || $argv[1] != 'secret-argument')
{
die('restricted access');
}
// Rest of script
$argv is a global PHP variable that Contains an array of all the arguments passed to the script when running from the command line. $ argv是一个PHP全局变量, Contains an array of all the arguments passed to the script when running from the command line.
解决方案4
0 2014-04-01 21:03:18
Couple of ways this could be done: 可以通过几种方法完成:
-
if(php_sapi_name() != 'cli'){ die();}orif(PHP_SAPI != 'cli'){ die();}if(php_sapi_name() != 'cli'){ die();}或if(PHP_SAPI != 'cli'){ die();}
The following solutions won't always work depending on server settings: 根据服务器设置,以下解决方案并非总是可行:
Check for $_SERVER['argv'], it is only set on CLI execution
if (empty($_SERVER['argv'])) { die();}.检查$ _SERVER ['argv'],仅在if (empty($_SERVER['argv'])) { die();}在CLI执行if (empty($_SERVER['argv'])) { die();}设置。 This is mostly true, unless your server loads those on HTTP request.除非您的服务器在HTTP请求上加载了这些内容,否则大多数情况下都是这样。 if(!empty($_SERVER['REMOTE_ADDR'])) { die();}REMOTE_ADDR is empty when called via CLI.if(!empty($_SERVER['REMOTE_ADDR'])) { die();}通过CLI调用时REMOTE_ADDR为空。if(empty($_SERVER['TERM'])) { die();}PHP loads the TERM variable with the terminal type.if(empty($_SERVER['TERM'])) { die();}PHP使用终端类型加载TERM变量。 Same is true for$_SERVER['SHELL']or$_SERVER['USER'].$_SERVER['SHELL']或$_SERVER['USER']。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.