External supporting PHP (or Bash) scripts best practice?

[Jonathan Lahijani]

With every PW website, I usually create a folder in the root (let's call it "something") where I store various scripts that do random things (most of these scripts act on ProcessWire directly so I bootstrap it).  I execute them either by visiting the url in my browser or using the terminal.  There's a bit of security through obscurity with this approach that feels wrong.

Using something like RockShell is probably the more formal way to do it, but sometimes it may not be the right choice for short-lived scripts or scripts that don't act on PW directly, or if the script is written in Bash.  Also I haven't started using RockShell regularly yet although that's the plan (I'll have to convert a lot of sites).

So my question is, what is your go-to approach in terms of where to store and how to handle supporting scripts like I described?

[elabx]

26 minutes ago, Jonathan Lahijani said:

With every PW website, I usually create a folder in the root (let's call it "something") where I store various scripts that do random things (most of these scripts act on ProcessWire directly so I bootstrap it).  I execute them either by visiting the url in my browser or using the terminal.  There's a bit of security through obscurity with this approach that feels wrong.

Using something like RockShell is probably the more formal way to do it, but sometimes it may not be the right choice for short-lived scripts or scripts that don't act on PW directly, or if the script is written in Bash.  Also I haven't started using RockShell regularly yet although that's the plan (I'll have to convert a lot of sites).

So my question is, what is your go-to approach in terms of where to store and how to handle supporting scripts like I described?

My personal policy is to assume those will only be executable through shell, and save them in site/templates/cli or something like that, but always inside templates so that they are blocked by default by the default htaccess config.

[cwsoft]

I check permission (e.g. superuser) in the php script, use .htaccess folder protection and use get parameters to hide/redirect (404) non privileged users depending on how powerful the script is or what damage it may do in untrusted users hands. If in doubt, I create an admin module or upload the script only for the time required (with the measures above) and remove it afterwards via FTP.

[ColtNikolaus]

Thank you so much for the link, can I ask a question.

[netcarver]

@ColtNikolaus No need to ask for permission, doing so adds noise to the forum, creates work for other people, and delays possible answers. What is your actual question?