In php cURL usage, what actually is CURLOPT_USERPWD working? I can see in many examples, like:
curl_setopt($ch,CURLOPT_USERPWD,"my_username:my_password");
.. but how to do at the Server Side? What actually are those username and password? Of course since i want to protect my PHP API page at Server Side, is that the best way or what is the best way to protect it please?
Ideally, you would have a separate config class that contained your user name and password. Then you would create a new version of that config class in your file with the cURL commands. Then you would pass the username and password as variables to the cURL commands. The cURL information will not be visible anyway as long as it is not echoed or printed. Even if you just put it in directly it would be hidden, but having it in a config file will allow you to change the values without changing the main page that contains the cURL commands.
Related
I have a url that I need to visit as part of a wider process on a project, I know that it works when I am logged in but obviously as part of the cron job it wouldn't be. If it were htaccess I would simply either use curl or wget and pass the username and password parameters accepted.
I have tried this already on this particular cron but it didn't seem to perform the task that the url is associated with. See example below:
curl -u username:password http://www.example.com (I would usually have the dev/null 2>&1 as part of the cron but I wish to see the output for now)
The problem is however that this page sits behind a form login and I am unsure of how to pass parameters to that form using a cron job.
Any help or advice would be greatly appreciated.
Using Curl:
You will need to pass the form login parameters, probably using the POST method. Check the form's HTML to be sure.
To do a POST request with curl, see https://superuser.com/questions/149329/what-is-the-curl-command-line-syntax-to-do-a-post-request.
This might not work for some forms, which implement CSRF. To work-around this, you would need to parse the HTML, find the CSRF token, and pass it as one of the POST request's data parameters.
Next, the login most likely returns a cookie. Your browser normally saves this, and gives the cookie back to the website on each page request. You will need to specify a cookie file. See Send cookies with curl.
There may be some investigation to work-around any more complicated login schemes, depending on the website.
Using an automated web-browser
The much easier alternative, is to use an automated browser, like Selenium webdriver. There are scripting interfaces you can use, like Capybara (a ruby gem). Using Capybara and Selenium to control a browser, you can avoid any techniques that websites might have which makes using CURL difficult (eg. if they detect and block bots).
The disadvantage is that you need to install it. However, once you do, you can use simple commands to do stuff, eg visit('http://www.google.com'), click_link('Link Text'), ...
Also, see:
require 'capybara'
session = Capybara::Session.new(:webkit, my_rack_app)
session.within("//form[#id='session']") do
session.fill_in 'Email', :with => 'user#example.com'
session.fill_in 'Password', :with => 'password'
end
session.click_button 'Sign in'
i have a php file named admin.php. It can be accessed by only X.But when i write the url like localhost/full/admin.php it can be viewed.it means if anyone knows the url he can access it.how can i provide security to this file thus it will be accessed.i am just using mysql and run it using localhost
you should look at the user & session management that php provides you. Look at it here. You can define users and its passwords, and authenticate them. This is the simplest method. Good luck
ACL will be more beneficial in the long run.
you could use something like:
if(strpos($_SERVER['HTTP_REFERER'], "https://mysite/a-page-that-sent-u-here") == true)
and then only allow access from a referrer page.
Or set a Session on one page, or even only allow it from your IP:
$_SERVER['REMOTE_ADDR']
Lots of ways
Normally I try to format my question as a basic question and then explain my situation, but the solution I'm looking for might be the wrong one altogether, so here's the problem:
I'm building a catalog application for an auction website that has the ability to save individual lots. So far this has worked great by simply creating a cookie with a comma-separated list of IDs for those lots, via something like this:
$_COOKIE["MyLots_$AuctionId"] = implode(",",$arrayOfIds);
The problem I'm now hitting is that when I go to print the lots, I'm using wkhtmltopdf through the command-line to request the url of the printout I want, like this:
exec("wkhtmltopdf '$urlofmylots' filename.pdf");
The problem is that I can't pass a cookie to this call, because Apache sees an internal request, not the request of the user. I tried putting it in the get string, but once I have more than a pre-set limit for GET parameters, that value disappears from the $_GET array on the target url. I can't seem to find a way to send POST data between them. My next possible ideas are the following:
Maybe just pass the sessionID to the url, and see if there's a way that I can use PHP to dig through the cookies for that session and pull the right cookie, but that sounds like it'd be risky security-wise for a PHP server to allow (letting one session be aware of another). Example:
exec("wkhtmltopdf '$urlofmylots?sessionId=$sessionIdFromThisRequest' filename.pdf");
Possibly set a session variable and then pass that session Id, and see if I can use PHP to wade through that information instead (rather than using the cookie).
Would I be able to just create an array and somehow have that other script be aware of it, possibly by including it? That doesn't really solve the problem of wkhtmltopdf expecting a web-facing address as its first parameter.
(not really an idea, but some reasoning) In other instances of using this, I've just passed an ID to the script that generates the markup for wkhtmltopdf to parse, and the script uses that ID to get data from the database. I don't want to store this data in a file or the database for the simple purpose of transferring data from the caller to the callee in this case. Cookies and sessions seem cleaner since apache/php handle memory allocation for these sessions.
The ultimate problem here is that I'm trying to get my second script (referenced here by $urlofmylots) to be aware of data available to the calling script but it's being executed as if it were an external web request, not two php scripts being called from the web root.
Can anyone offer some insight here?
You might consider rendering whatever the output of $urlofmylots?lots=$lots_to_print would be to a temporary file and running wkhtmltopdf against that file.
I have several pages that call in content via jQuery .ajax. I dont want the content visible on the page so thats why I went with .ajax and not showing/hiding the content. I want to protect the files inside the AJAX directory from being directly accessible through the browser url. I know that PHP headers can be spoofed and dont know if it is better to use an "access" key or try doing it via htaccess.
My question is what is the more reliable method? There is no logged on/non logged user status, and the main pages need to be able to pull in content from the pages in the AJAX directories.
thx
Make a temporary time-coded session variable. Check the variable in the php output file before echoing the data.
OR, if you don't want to use sessions.. do this:
$key = base64encode(time().'abcd');
in the read file:
base64decode
explode by abcd
read the time. Allow 5 seconds buffer. If the time falls within 5 seconds of the stamped request. You are legit.
To make it more secure, you can change your encrypting / decrypting mechanism.
I would drop this idea because there is no secure way to do it.
Your server will never be able to tell apart a "real" Ajax request from a "faked" one, as every aspect of the request can be forged on client side. An attacker will just have to look into a packet filter to see what requests your page makes. It is trivial to replicate the requests.
Any solution you work out will do nothing but provide a false sense of security. If you have data you need to keep secret, you will need to employ some more efficient protection like authentication.
Why not have the content be outside the webserver directory, and then have a php script that can validate if the person should see it, and then send it to them.
So, you have getcontent.php, and you can look at a cookie, or a token that was given to the javascript page and it uses to do the request, and then it will just fetch the real content, set the mime types and stream it to the user.
This way you can change your logic as to who should have access, without changing any of the rest of your application.
There is no real difference to having http://someorg.net/myimage.gif and http://someorg.net/myscript.php?token=887799&img_id=ddtw88 to the browser, but obviously it will need to work with GET so a time limited value is necessary as the user can see reuse it.
I'm not sure how to describe this, but basically I have a PHP class file:
class HelloHello {
public function getSomeData($input_parameter){
// code to retrieve data from the database
}
public function deleteSomeData($input_parameter){
// code to delete data from the database
}
}
This class is on the server and is part of the backend that connects with a database, and it's meant to be accessed by the frontend SWF only (not to be directly accessed). I've setup Flex to read this class and access it. But how do I make sure that someone doesn't develop a script that can call this php file directly and access its methods? For example using a script to add data in a fast automated way, or use the delete method directly, ouch.
Is this a legitimate concern, or this can't be done?
If a user can view it through your flash application, the user can view it with his application. You could go through the [ugly] mess of trying to "secure" your script by introducing cookies and authentication and the like, but thats messy, and of course, it can be gone around.
Instead of trying to stop others from accessing your php file, focus on making it more secure.
If you know the url where swf runs, can't you just in PHP limit the requests to that url? Disregard all other requests.
You can secure your file by adding security and authentication. If you cannot do that (it is a public application) you should implement some techniques which can prevent specific situations: do not allow calling your script too many times per second from the same IP, add CAPTHCA in order to check that the entered data were from a human and not a machine and maybe another ones.
You could also implement a challenge-reponse security system that makes sure the client you use is actually the intended recpipient of the data. That way, you would embed a secret key into the SWF. The PHP app sends a one-time string, the client does something to it according to its secret and then sends the answer back -- which your server can validate and then continue to run.
For some basic mathematical foundations to this, there's quite some documentation online.