Page 2 of 2

Posted: Tue Apr 03, 2007 2:50 pm
by Oren
Well, if that's what he meant, then he was right.
That's what you meant Xoligy? If so, then I'm sorry.

Anyway, this whole discussion is pointless, since as I said, .ini files are not parsed as PHP when they are called directly :P

Posted: Tue Apr 03, 2007 2:59 pm
by ngungo
Oren wrote: Anyway, this whole discussion is pointless, since as I said, .ini files are not parsed as PHP when they are called directly :P
Not exactly, I said .inc.php not .inc alone.




The point I wanted to make but not sure if it was correct was:

Code: Select all

define ('NOTMYAPP', false);              // this is in the main php (i.e. index.php)
if (NOTMYAPP) die("Hacking Attempt!!!"); // this is in .inc.php files
looks more comprehensible.

Posted: Tue Apr 03, 2007 3:14 pm
by Oren
ngungo wrote:Not exactly, I said .inc.php not .inc alone.
Damn... I'm sorry, I read too fast I guess.

Anyway, just do it like this:

Code: Select all

define ('IN_APP', true);              // this is in the main php (i.e. index.php)
if (!defined(IN_APP)) die("Hacking Attempt!!!"); // this is in .inc.php files 

Posted: Tue Apr 03, 2007 3:38 pm
by feyd

Code: Select all

if (!defined('IN_APP') or constant('IN_APP') !== 'some expected value')
{
  die();
}
avoids the warnings that may fire.

Posted: Tue Apr 03, 2007 3:57 pm
by ngungo
feyd wrote:

Code: Select all

if (!defined('IN_APP') or constant('IN_APP') !== 'some expected value')
{
  die();
}
avoids the warnings that may fire.
you mean ||

Posted: Tue Apr 03, 2007 4:00 pm
by feyd
no, I mean "or"

Both || and "or" are valid in this context however. Yes, "or" is a real keyword in PHP.

Posted: Tue Apr 03, 2007 4:35 pm
by ngungo
Thanks! I did not know that. Newbie :)

Posted: Wed Apr 04, 2007 7:00 am
by fastfingertips
I don't understand why don't you store the include files in a location that is not public? And include that path from htaccess of using ini_set?

Posted: Wed Apr 04, 2007 7:50 am
by feyd
That doesn't really protected them at the source level.

Posted: Wed Apr 04, 2007 9:13 am
by ngungo
feyd,

Do you have a word of wisdom about how to do include, require files? What is the best practice to keep it secured and source code leak proof?

Posted: Wed Apr 04, 2007 9:20 am
by feyd
Consistency in prevention and protection in how your scripts are interacted with. Minimizing the number of scripts the user is allowed to interact with directly can help by forcing them through a wedge. Active monitoring of the (dedicated) server is another. Always getting the latest security patches (at least) for all packages used is important too.

Vigilance is the key.

Posted: Wed Apr 04, 2007 9:27 am
by ngungo
Thanks!

btw: 蜘龍 - I look it up, it is very nice.