3

  1. I have on a server a PHP scrip that updates a DB.

  2. I want to be able to call this script from remote, either from another server or my localhost PC using a GET, or from the browser using AJAX,

  3. But I don't want anyone to be able to call this script unless allowed.

So far I simply added into the script a piece of code to verify a certain pin in the GET, i.e.

//myscript.php

if( isset($_GET['pin']) && $_GET['pin'] === '1234' )
{
   //update the DB...

In this way remote caller must know the pin, i.e.

file_get_contents(http://remoteserver.com/myscrip.php?pin=1234); //will work
file_get_contents(http://remoteserver.com/myscrip.php?pin=5678); //will NOT work

This seems so simple that I'm wondering if it's secure.

What are other possible more secure alternatives (maybe not too more complicated)?

For instance, I read about using an hash that changes over time, but is it worth it, how could it be done?

Improve this question

4 Answers 4

Reset to default
3

you could password protect the folder (can be done easy if you are using cpanel or plesk) and use curl to access that url.

$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_USERPWD, $username . ':' . $password);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
$output = curl_exec($ch);
$info = curl_getinfo($ch);
curl_close($ch);
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

it works like a charm. Thanks, I simply changed a bit the code to be more clear,
2

Your solution is secure, but only up to a point, so it depends on just how important it is that others don't call it. For instance, if someone monitored the network traffic to that server, they would have the password, since it never changes. Remember it's being sent in cleartext over the Internet. So I personally would not have this PHP script update my Swiss bank account.

One option would be to have an algorithmic password based on the date and/or time so it would be different each time.

Another solution would be to have the script check the IP address of the request, which would be MUCH harder to hack without physical access to the server.

Improve this answer

2 Comments

The IP is not solution cause I would like to call the remote script from my localhost PC, but my IP is dynamically assigned by the ISP (every day it changes it).
You could resolve the IP address to a hostname and go off the fully qualified domain name. If your ISP is like most, the full domain name will have some geographical region component. That would at least prevent those from other countries from other countries from accessing it. You could also just check the first two numbers (quads) of the IP address which shouldn't change. Or narrowing it down further by looking up exactly what IP address range your ISP owns.
2

you can use Basic Authentication

Improve this answer

1 Comment

yes kind of since it would be base64 encode of username and password both . As you mention you gona use it with browser you gona get a nice pop up with easy way to enter username and password also checking the browser history will not reveal the "pin" unlike simple GET if you want more secure then en.wikipedia.org/wiki/Digest_access_authentication
1

The one problem with your example is that it would be collected by a browser's history collector. So if you typed in this GET at home , and the next day your kid starts typing "rem...", the browser will display the URL and your lone credential. If updating your database is not a destructive thing (it wouldn't be the worst if it happened an extra time or two), and you are relatively careful and disciplined (clear history each time), then this isn't too bad.

Since you're using PHP, you should look at PHP's preferred way.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.