Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PHP: Is php_sapi_name() safe (can the user manipulate it)?

Tags:

security

php

can the user manipulate the value which is returned by php_sapi_name()?

I have a script which looks like this:

if( php_sapi_name() !== "cli" ){
   die( "NoAccess" );
}

// Do some admin stuff

This script should only (!) be called through command line. Is the code above safe? Or can somebody call the script through HTTP and execute it beyond the if condition?

like image 536
Tream Avatar asked Jan 09 '17 22:01

Tream


1 Answers

php_sapi_name()'s return value is safe to rely on. It's not generated from user data.

You shouldn't have this script accessible to your web server though if you don't want it to be called from your web server. If you cared about safety, this script wouldn't be accessible at all.

You also mentioned .htaccess... don't use that, use a proper config file elsewhere. .htaccess has to be loaded and parsed for every request, which is not efficient.

like image 98
Brad Avatar answered Sep 28 '22 23:09

Brad