On Feb 6, 2008 1:55 AM, Robbert van Andel <[EMAIL PROTECTED]> wrote:
[snip]
> First off, the script runs great from the command line when I type "php5
> backup.php" but when I type ./backup.php I get an error: "bash:
> ./backup.php: No such file or directory".  I thought maybe this is a problem
> with the top declaration in the script "#!/usr/local/bin/php5". The problem
> is that it appears the server has several php5s I can reference

    See my note on this paragraph later in the message.  And more
importantly, see the addendum "SECURITY NOTICE" at the tail-end of
this email.

> /usr/local/apache/share/cgi-bin/php5
> /usr/local/bin/php5
>
> But it doesn't matter which one I put at the top of the script, I get the
> same error.

    In this case, use /usr/local/bin/php5, which will almost
undoubtedly be compiled as a CLI object, while the
../apache/share/cgi-bin/php5 is most likely a CGI binary or (less
likely) Apache module.  However, keep this part in mind, as with the
first paragraph, for later in the message.

> Okay, so I can live with having to type "php5 backup.php".  However, when I
> try to make a cron job from the script, the script never runs.  The crontab
> entry looks like this
> 1 0 * * 2 php5
> /kunden/homepages/23/d117947228/htdocs/oregonswimming/administration/backup/
> backup.php > backup.log

    In your cronjob, replace the php5 entry with the following
(including the backticks):
        `which php5`

    If that still doesn't work, replace it simply with php, not php5:
        `which php`

    This allows BASh/Shell to execute the eval'd command typed within
the backticks.

> I know the backup never runs because I redirect the output to a file and
> have an email sent to me upon conclusion of the script.  The log file
> doesn't show anything nor do I ever receive an email.  My web host will not
> provide any support for scripting, so I'm hoping someone here can help.

    Are you certain that the user under which the script is executed
via cron is yourself?  On rare occasions (some BSD boxes, Cobalt RaQ
RHL variants, et cetera), cron will not always run as the local user.
It may run as 'cron', 'crond', 'daemon', 'nobody', 'unpriv', 'anon',
or as whomever the sysop has it configured.

> Questions:
> * How do I determine what to put at the top of the script so that I can just
> call "backup.php"?

    Doing that is not such a great idea, and here's where the first
two paragraphs come into play: remove the interpreter designation line
(the first line, containing the #! characters).  Make sure the script
is enclosed in <?php ?> tags.  You can find scripts that written to
specifically run as crons that instead have the interpreter
designator, but it's just one more thing you'll have to manually
change when porting from one system to another, or if your host
updates their configuration.

    PLUS: Keep in mind that, even when using an interpreter
designator, you *still* have to enclose your code in the <?php ?> tags
(or, if short_open_tags is on, which it probably is, just use <? ?>
tags).  Why?  Because PHP is set to parse *only* code between those
tags, and even if you run the CLI with the -r flag (which allows you
to run code without the <? ?> tags), it will only run /one line/ of
code per call.  (See: `which php` --help  -OR-  `which php5` --help)

    So if you absolutely want to run it as ./backup.php from the local
directory, or 
/kunden/homepages/23/d117947228/htdocs/oregonswimming/administration/backup/backup.php,
here are the steps to do so:

    1.) chmod 755
/kunden/homepages/23/d117947228/htdocs/oregonswimming/administration/backup/backup.php
    2.) Line 1 (backup.php): #!/usr/local/bin/php5 (or whatever 'which
php5' or 'which php' says - no backticks here)
    3.) Enclose your code in <? ?> tags, not including the interpreter
designator (first line).


> * What, if anything, do I need to do to make the script work from cron?

    See above answers.

====
SECURITY NOTICE
====

    Here are some things to consider in this specific situation:

        1.) NEVER disclose full server path information as you did in
your email.  From that, I was easily able to discover the domain name,
based upon the fact that Oregon is a US state and "swimming" would
indicate the interests were most likely of a group or charitable
ORGanization.  ;-P

        2.) It's always a Bad Idea[tm] to place crons of that nature
in the web path.  I was able to run the cron without the need of
logging into your admin panel, because there was no security to stop
me.  And while all it will do is create a backup of your databases in
this particular case, the output from that file also gives me *highly
sensitive*, critical information about the location of web path
information, and ABSOLUTE WORST - gives me full access to all of your
database information in plain-text, and even a convenient zip file.

    ACTION ITEMS:
        1.) *IMMEDIATELY* move the 'backups' directory out of the
webroot.  Place it somewhere like
/kunden/homepages/23/d117947228/db-backups/ or even
/kunden/homepages/23/d117947228/crons/.  Make sure to update any
scripts that rely on the webroot-located backups directory.
Otherwise, you WILL have data stolen.  This list is archived on the
web all over, and it will only be a matter of time before some script
kiddie decides you're an easy target.


    Hope that helps.

-- 
</Dan>

Daniel P. Brown
Senior Unix Geek
<? while(1) { $me = $mind--; sleep(86400); } ?>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to