Page 1 of 2

Security control logic

Posted: Tue Apr 03, 2007 10:42 am
by ngungo
There is some exclusion practice for include files such as:

Code: Select all

define ('MYAPP', true);                           // this is in the main php (i.e. index.php)
if (!defined('MYAPP')) die("Hacking Attempt!!!"); // this is in .inc.php files
 
My question: Is the above snippet logically equivalent to:

Code: Select all

define ('NOTMYAPP', false);                // this is in the main php (i.e. index.php)
if (NOTMYAPP) die("Hacking Attempt!!!"); // this is in .inc.php files
 

edit: correcting the second if condition from 'NOTMYAPP' to NOTMYAPP (without single quotes).

Posted: Tue Apr 03, 2007 10:54 am
by feyd
Nope. Your second snippet is using a string. Non-empty strings are considered true and will therefore execute your die() call.

Posted: Tue Apr 03, 2007 11:07 am
by Oren
You probably meant to this:

Code: Select all

if (NOTMYAPP)
(no single quotes)


Which is equivalent to:

Code: Select all

if (false)
(never executes)

Posted: Tue Apr 03, 2007 11:07 am
by ngungo
Oh! I am sorry. It should be:

Code: Select all

define ('NOTMYAPP', false);              // this is in the main php (i.e. index.php)
if (NOTMYAPP) die("Hacking Attempt!!!"); // this is in .inc.php files

Posted: Tue Apr 03, 2007 11:14 am
by ngungo
Oren wrote:You probably meant to this:

Code: Select all

if (NOTMYAPP)
(no single quotes)


Which is equivalent to:

Code: Select all

if (false)
(never executes)
Yes, you are right. I was syntactically mistaken.
The question: Are those two snippets logically equivalent?

Posted: Tue Apr 03, 2007 11:14 am
by Oren
ngungo wrote:Oh! I am sorry. It should be:

Code: Select all

define ('NOTMYAPP', false);              // this is in the main php (i.e. index.php)
if (NOTMYAPP) die("Hacking Attempt!!!"); // this is in .inc.php files
Then you will see a blank page (it won't die).

Posted: Tue Apr 03, 2007 11:19 am
by ngungo
Oren wrote:
ngungo wrote:Oh! I am sorry. It should be:

Code: Select all

define ('NOTMYAPP', false);              // this is in the main php (i.e. index.php)
if (NOTMYAPP) die("Hacking Attempt!!!"); // this is in .inc.php files
Then you will see a blank page (it won't die).
So they are equivalent?

Posted: Tue Apr 03, 2007 11:26 am
by Oren
Ok, here is a fast analyze that will clarify everything.

Analyze for:

Code: Select all

define ('MYAPP', true);                           // this is in the main php (i.e. index.php)
if (!defined('MYAPP')) die("Hacking Attempt!!!"); // this is in .inc.php files 

Code: Select all

if (!defined('MYAPP'))
===

Code: Select all

if (!true)
===

Code: Select all

if (false)

Analyze for:

Code: Select all

define ('NOTMYAPP', false);              // this is in the main php (i.e. index.php)
if (NOTMYAPP) die("Hacking Attempt!!!"); // this is in .inc.php files

Code: Select all

if (NOTMYAPP)
===

Code: Select all

if (false)
P.S The above is true only in this specific context of course (i.e MYAPP was defined in the first piece of code).

Posted: Tue Apr 03, 2007 11:33 am
by ngungo
How about if a hacker tried to load .inc.php alone without going through main .php file, other words, MYAPP (same as NOTMYAPP) is not defined? Will they both die because the condition would be true in both cases?

Posted: Tue Apr 03, 2007 11:36 am
by ngungo
Or put it precisely, these two are equivalent:

Code: Select all

if (!defined('MYAPP')) die("Hacking Attempt!!!"); // this is in .inc.php files 

Code: Select all

if (NOTMYAPP) die("Hacking Attempt!!!"); // this is in .inc.php files

Posted: Tue Apr 03, 2007 11:43 am
by Xoligy
Yes but you're relying on PHP to convert the constant to a string and will generate a warning. There's no logical advantage of doing it that way and in fact you're relying on PHP's forgiving nature.

Posted: Tue Apr 03, 2007 11:52 am
by ngungo
Xoligy wrote:Yes but you're relying on PHP to convert the constant to a string and will generate a warning. There's no logical advantage of doing it that way and in fact you're relying on PHP's forgiving nature.
Very well put. Thanks!

Posted: Tue Apr 03, 2007 2:25 pm
by Oren
ngungo wrote:How about if a hacker tried to load .inc.php alone without going through main .php file, other words, MYAPP (same as NOTMYAPP) is not defined? Will they both die because the condition would be true in both cases?
Sorry, but that's not what I said. All I said was, that after reduction, both are equal to if (false) - and therefore will never execute.

Note that if you use .inc files, this whole thing is useless since the server will show you the plain text content of the .inc file and it won't be parsed as PHP (with default server configuration) unless included withing a PHP file.

Posted: Tue Apr 03, 2007 2:31 pm
by Oren
Xoligy wrote:Yes but you're relying on PHP to convert the constant to a string and will generate a warning. There's no logical advantage of doing it that way and in fact you're relying on PHP's forgiving nature.
What the hell are you talking about pal? the constant holds a boolean value - not a string.

Posted: Tue Apr 03, 2007 2:41 pm
by ngungo
I think what Xoligy said was if a constant is not defined php would automatically convert it to a string that has the value of the name of the constant.