[英]How can I ensure my PHP script is only run as a schedule job and not when run from a browser?
Each time when I am opening eg retrieveContent.php the script is executed and insert records into the database. 每次我打开例如retrieveContent.php脚本时,都会执行该脚本并将记录插入数据库中。 Since I use this script in a schedule job it should not be a problem.
由于我在计划作业中使用了此脚本,因此应该不会有问题。
However I noticed that a user found the script path and did opened the retrieveContent.php file which was executed and inserted a record in the database. 但是,我注意到一个用户找到了脚本路径,并确实打开了执行的retrieveContent.php文件,并在数据库中插入了一条记录。 How can I prevent browser transactions by a user using PHP?
如何防止用户使用PHP进行浏览器交易? Thanks in advance!
提前致谢!
Look at the php_sapi_name()
function. 查看
php_sapi_name()
函数。 It will tell you if you're running in CLI (command-line interface). 它会告诉您是否在CLI(命令行界面)中运行。
http://php.net/manual/en/function.php-sapi-name.php http://php.net/manual/zh/function.php-sapi-name.php
You can also move the PHP script to somewhere outside of your web server's document tree. 您还可以将PHP脚本移动到Web服务器文档树之外的某个位置。
You have lots of options. 您有很多选择。 I'll mention just three:
我只提到三个:
Append a query parameter, that only you know and that is hard-coded in the script, eg retrieveContent.php?key=secret
. 附加一个只有您自己知道并且在脚本中进行了硬编码的查询参数,例如
retrieveContent.php?key=secret
。 (Or in CLI mode, a secret command line argument.) Check this parameter in your script and only perform the actions if it matches the hard-coded value. (或在CLI模式下,为秘密的命令行参数。)在脚本中检查此参数,并且仅在与硬编码值匹配时才执行操作。
If your scheduled job is performed on the same server where the script resides, move the script to a separate directory protected by a .htaccess
file with the following content: 如果计划的作业是在脚本所在的同一台服务器上执行的,请将脚本移动到受以下内容保护的
.htaccess
文件保护的单独目录中:
Deny from all Allow from localhost
If your scheduled job fetches the script via HTTP, figure out, which user agent is sent in $_SERVER['HTTP_USER_AGENT']
, and only perform the actions if the script is accessed by that user agent. 如果您的计划作业通过HTTP获取脚本,请找出哪个用户代理在
$_SERVER['HTTP_USER_AGENT']
,并且仅在该用户代理访问了脚本的情况下执行操作。 But this is less safe, since the user can fake the user agent (if he manages to find out the correct one). 但这不太安全,因为用户可以伪造用户代理(如果他设法找到正确的代理)。
Pass a secret argument to your script when called via CLI and confirm it on PHP side. 通过CLI调用时,将秘密参数传递给脚本,并在PHP端进行确认。 For example:
例如:
-- terminal --
php script.php secret-argument
-- script.php --
<?php
if(!isset($argv[1]) || $argv[1] != 'secret-argument')
{
die('restricted access');
}
// Rest of script
$argv is a global PHP variable that Contains an array of all the arguments passed to the script when running from the command line.
$ argv是一个PHP全局变量,
Contains an array of all the arguments passed to the script when running from the command line.
Couple of ways this could be done: 可以通过几种方法完成:
if(php_sapi_name() != 'cli'){ die();}
or if(PHP_SAPI != 'cli'){ die();}
if(php_sapi_name() != 'cli'){ die();}
或if(PHP_SAPI != 'cli'){ die();}
The following solutions won't always work depending on server settings: 根据服务器设置,以下解决方案并非总是可行:
Check for $_SERVER['argv'], it is only set on CLI execution if (empty($_SERVER['argv'])) { die();}
. 检查$ _SERVER ['argv'],仅在
if (empty($_SERVER['argv'])) { die();}
在CLI执行if (empty($_SERVER['argv'])) { die();}
设置。 This is mostly true, unless your server loads those on HTTP request. 除非您的服务器在HTTP请求上加载了这些内容,否则大多数情况下都是这样。
if(!empty($_SERVER['REMOTE_ADDR'])) { die();}
REMOTE_ADDR is empty when called via CLI. if(!empty($_SERVER['REMOTE_ADDR'])) { die();}
通过CLI调用时REMOTE_ADDR为空。
if(empty($_SERVER['TERM'])) { die();}
PHP loads the TERM variable with the terminal type. if(empty($_SERVER['TERM'])) { die();}
PHP使用终端类型加载TERM变量。 Same is true for $_SERVER['SHELL']
or $_SERVER['USER']
. $_SERVER['SHELL']
或$_SERVER['USER']
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.