Page 2 of 2
Posted: Tue Apr 03, 2007 2:50 pm
by Oren
Well, if that's what he meant, then he was right.
That's what you meant
Xoligy? If so, then I'm sorry.
Anyway, this whole discussion is pointless, since as I said, .ini files are not parsed as PHP when they are called directly

Posted: Tue Apr 03, 2007 2:59 pm
by ngungo
Oren wrote:
Anyway, this whole discussion is pointless, since as I said, .ini files are not parsed as PHP when they are called directly

Not exactly, I said
.inc.php not
.inc alone.
The point I wanted to make but not sure if it was correct was:
Code: Select all
define ('NOTMYAPP', false); // this is in the main php (i.e. index.php)
if (NOTMYAPP) die("Hacking Attempt!!!"); // this is in .inc.php files
looks more comprehensible.
Posted: Tue Apr 03, 2007 3:14 pm
by Oren
ngungo wrote:Not exactly, I said .inc.php not .inc alone.
Damn... I'm sorry, I read too fast I guess.
Anyway, just do it like this:
Code: Select all
define ('IN_APP', true); // this is in the main php (i.e. index.php)
if (!defined(IN_APP)) die("Hacking Attempt!!!"); // this is in .inc.php files
Posted: Tue Apr 03, 2007 3:38 pm
by feyd
Code: Select all
if (!defined('IN_APP') or constant('IN_APP') !== 'some expected value')
{
die();
}
avoids the warnings that may fire.
Posted: Tue Apr 03, 2007 3:57 pm
by ngungo
feyd wrote:Code: Select all
if (!defined('IN_APP') or constant('IN_APP') !== 'some expected value')
{
die();
}
avoids the warnings that may fire.
you mean ||
Posted: Tue Apr 03, 2007 4:00 pm
by feyd
no, I mean "or"
Both || and "or" are valid in this context however. Yes, "or" is a real keyword in PHP.
Posted: Tue Apr 03, 2007 4:35 pm
by ngungo
Thanks! I did not know that. Newbie

Posted: Wed Apr 04, 2007 7:00 am
by fastfingertips
I don't understand why don't you store the include files in a location that is not public? And include that path from htaccess of using ini_set?
Posted: Wed Apr 04, 2007 7:50 am
by feyd
That doesn't really protected them at the source level.
Posted: Wed Apr 04, 2007 9:13 am
by ngungo
feyd,
Do you have a word of wisdom about how to do include, require files? What is the best practice to keep it secured and source code leak proof?
Posted: Wed Apr 04, 2007 9:20 am
by feyd
Consistency in prevention and protection in how your scripts are interacted with. Minimizing the number of scripts the user is allowed to interact with directly can help by forcing them through a wedge. Active monitoring of the (dedicated) server is another. Always getting the latest security patches (at least) for all packages used is important too.
Vigilance is the key.
Posted: Wed Apr 04, 2007 9:27 am
by ngungo
Thanks!
btw: 蜘龍 - I look it up, it is very nice.