doubi5520 2009-02-17 16:35
浏览 276
已采纳

如何检查服务器是否正在执行PHP脚本?

I'm running a cronjob which needs to write data to a cache. I wanted to put this cronjob in my private folder, however, even after CHMODding the cache folder in the private folder, it's not getting writing rights. This seems to be somekind of plesk feature.

So, now I've placed the cronjob in the public folder. However, I need to make sure that only the server can execute the script. What about the following at the top of the cronjob?

if ($_SERVER['SERVER_ADDR'] != $_SERVER['REMOTE_ADDR']) die();

This seems to work. Is it not exploitable however, eg. can a user manipulate his remote_addr to my server's? Or is there a better way to check this?

Another issue I have is that the above code is returning 2 warnings, even though it does seem to work:

PHP Notice:  Undefined index:  SERVER_ADDR in ... on line 2
PHP Notice:  Undefined index:  REMOTE_ADDR in ... on line 2

Any idea what's the cause of that?

  • 写回答

3条回答 默认 最新

  • dqp10099 2009-02-17 16:57
    关注

    Execute the script via the console, not the web server.

    The cron could look like this:

    */5 * * * * php -f /path/to/cron.php

    Then the file could do this:

    cron.php:
<?php

if ( array_key_exists('REMOTE_ADDR', $_SERVER) )
    die("Can only be run from the command line!");

    That will guarantee it's only run by the server.

    Edit in response to comments

    You can't get to a public folder inside a private folder, in general, and if you can't add new directories outside the web root, your cache dir will have to be protected another way.

    I'm going to assume all your files are in the web root, ie: /home/site/publichtml. Replace that with whatever your directory is.

    Create a new directory /home/site/publichtml/.cache. Add the following as a .htaccess file:

    Deny from all

    Now your scripts should be able to access the folder from the file system, but it's inaccessible via the web server.

    If you can set up a cron job on the server (via the web admin or another way, it sounds like you can) do it as above, ie: Use php -f /home/site/publichtml/cron.php as the command, and include the check for the array key.

    Alternatively, you can check like this:

    if ( !isset($_SERVER['argc']) )
    die("Must be run from the command line!
");

    $_SERVER['argc'] is only set when the script is executed from the command line.

    If you can keep the cron script out of the web root, good. If not, that should be secure.

    Finally, to get rid of the E_NOTICES, add this to the top of the cron.php:

    error_reporting(E_ALL ^ E_NOTICE); // Turn off notices

    or

    error_reporting(0); // Hide all error reporting
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值
  • ¥15 我想咨询一下路面纹理三维点云数据处理的一些问题,上传的坐标文件里是怎么对无序点进行编号的,以及xy坐标在处理的时候是进行整体模型分片处理的吗
  • ¥15 CSAPPattacklab
  • ¥15 一直显示正在等待HID—ISP
  • ¥15 Python turtle 画图
  • ¥15 关于大棚监测的pcb板设计
  • ¥15 stm32开发clion时遇到的编译问题
  • ¥15 lna设计 源简并电感型共源放大器
  • ¥15 如何用Labview在myRIO上做LCD显示?(语言-开发语言)
  • ¥15 Vue3地图和异步函数使用