Login

10-01-2009, 12:00 AM

[eluser]rvillalon[/eluser]
Jedd,

I apologize if I've offended you by not responding fast enough or seeming like I've not read through the replies. I appreciate everyone's take on the issue. Also, I have read through the replies, but there just seemed to be a lot of debate.

And to be exact on what I was trying to achieve: My main concern was to make sure the controller could not be accessed through a browser. The controller would be used for cron jobs that clears temporary database entries and user-uploaded images.

I have a website that allows users to add products on my website and images pertaining to those products. I use flash and jQuery for the uploads, and it can be used before products are created. So, if a user uploads an image and abandons the product before committing it to the database, it gets left on my server.

Furthermore, the images are actually stored on a different server, and domain. So having access to the plethora of libraries on CI, , such as the FTP library, really helps make things easier.

Aside from the images, there are other libraries in CI that helps make life easier.

But again, I wanted to make sure that my controllers that handled cron jobs would not be accessible through a browser--and there isn't really a security risk if they were accessed through through it, but I guess it's just personal preference.

Furthermore, let me close this discussion by sharing with you all my solution:

I will be using a combination of php_sapi_name and $_SERVER to restrict controller access. This would ensure that requests can only be made by CLI.

A comment found in the online PHP manual helps explain the reasoning better:

Quote:The php_sapi_name() function is extremely useful when you want to determine the type of interface. There is, however, one more gotcha you need to be aware of while designing your application or deploying it to an unknown server.

Whenever something depends on the type of interface, make sure your check is conclusive. Especially when you want to distinguish the command line interface (CLI) from the common gateway interface (CGI).

Note, that the php-cgi binary can be called from the command line, from a shell script or as a cron job as well! If so, the php_sapi_name() will always return the same value (i.e. "cgi-fcgi") instead of "cli" which you could expect.

Bad things happen to good people. Do not always expect /usr/bin/php to be a link to php-cli binary.

Luckily the contents of the $_SERVER and the $_ENV superglobal arrays depends on whether the php-cgi binary is called from the command line interface (by a shell script, by the cron, etc.) or by some HTTP server (i.e. lighttpd).

<?php
var_dump($_SERVER);
?>

Try to call php-cgi binary from the command line interface and then via HTTP request and compare the output of the script above. There will be plenty options to satisfy almost everyone.

For the sake of security remember, that contents of the $_SERVER and the $_ENV superglobal arrays (as well as $_GET, $_POST, $_COOKIE, $_FILES and $_REQUEST) should be considered tainted.

PHP Manual

jedd, thomas, guillermo, narcisha, attos, mattthehoople, attos, brian, affix: thank you all for your help.

Hope this helps someone in the future. :-)