问题描述:

In order to start processing a batch command, I need to call a different script from the page that I am on, but I need to reassure that the was not called by anyone else.

Let me explain.

I need to contact my Credit Card Clearing company to issue a batch of transactions. these transactions MUST ONLY bwe taken out due to a specific user request.

If by mistake the command is taken out just by someone else this is a complete disaster.

I thought to take the script I need to call outside the website scope, for example a folder that neighbours the "includes" folder, and call it with a parameter, something like:

"php ../../batch.php?id=5&process=all"

But the thing is, that inside batch.php I cannot verify that the command was issued by anyone. I mean, when I process my own pages I always check if the user is logged in using SESSION variables.

But by executing a script, I believe this cannot be done as the system calls itself, or can it?

Is there a way to tell if the user is a confirmed user who executed the script?

How would you do it ?

Thanks!

网友答案:

If by mistake the command is taken out just by someone else this is a complete disaster.

Sure. But what do you think?!

$ php ../../batch.php?id=5&process=all

This is just invoking a command (php) via shell. Under a POSIX system, there always is a user invoking the command. Consult your system manual to find out about the user. A user is always authenticated in a shell environment. That's what it is for (at least in part).

So probably your problem is not authentication but just the point how you invoke the script. As you have not given much information in your question about the specifics of the context this is happening in, it just can't be answered (more specifically to the things already being written).

If you really want to ensure that a specific script is only called under very specific circumstances, create a user on the system only for that circumstance, don't share the passphrase then only this user can invoke that command. Create a shell script out of it (shebang PHP) and make the file only available to that user.

网友答案:

can you include it in the page? edit it to accept extra arguments - username/userid/etc. if you can't edit it, have a wrapper script that does the checks and calls it

ultimately, you should make the calling script robust enough - SRP

相关阅读:
Top