Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By peterk900 on
I have external php scripts that bootstraps Drupal to insert nodes. Access to the folder where the script resides is prevented for a non-authenticated user - however if you know the script name then it seems that anyone could paste the url into a browser and run the script. This seems like a security weakness - what do I need to do to overcome this problem ? Thanks.
Comments
Create a module that executes
Create a module that executes the script at a certain path, and put permissions on to that path.
Thank you - that's certainly
Thank you - that's certainly one way of doing it. But if I'm creating a module then I guess cURL/Bootstrapping isn't needed.
What I was hoping was to protect an external php script like this :
This code runs from a non-Drupal folder on the same server as the Drupal site where the node is being inserted. If I want to access a Drupal site on another server ( another domain ) then I can include the BOOTSTRAP code in a cURL script.
As an attempt at 'security' the code will only work if the parameter xx9 is supplied. So if someone finds out the file name ( I don't mean get access to the script code ), they can't run the file unless they know the parameter.
I guess you could get the parameter value for the Drupal variables table, which would mean it could be changed regularly. I suppose you could wrap the parameter in some other characters - e.g. date and time in reverse, and then test that the scrambled date and time was within 1 minute of when the script was run.
But all this is a bit tacky ! It would be nice if the script could just include a username and password - just like you would do if you were connecting a non-Drupal script to MySQL. But it doesn't see mto work like that.