Page 1 of 2
Security control logic
Posted: Tue Apr 03, 2007 10:42 am
by ngungo
There is some exclusion practice for include files such as:
Code: Select all
define ('MYAPP', true); // this is in the main php (i.e. index.php)
if (!defined('MYAPP')) die("Hacking Attempt!!!"); // this is in .inc.php files
My question: Is the above snippet logically equivalent to:
Code: Select all
define ('NOTMYAPP', false); // this is in the main php (i.e. index.php)
if (NOTMYAPP) die("Hacking Attempt!!!"); // this is in .inc.php files
edit: correcting the second if condition from 'NOTMYAPP' to NOTMYAPP (without single quotes).
Posted: Tue Apr 03, 2007 10:54 am
by feyd
Nope. Your second snippet is using a string. Non-empty strings are considered true and will therefore execute your die() call.
Posted: Tue Apr 03, 2007 11:07 am
by Oren
You probably meant to this:
(no single quotes)
Which is equivalent to:
(never executes)
Posted: Tue Apr 03, 2007 11:07 am
by ngungo
Oh! I am sorry. It should be:
Code: Select all
define ('NOTMYAPP', false); // this is in the main php (i.e. index.php)
if (NOTMYAPP) die("Hacking Attempt!!!"); // this is in .inc.php files
Posted: Tue Apr 03, 2007 11:14 am
by ngungo
Oren wrote:You probably meant to this:
(no single quotes)
Which is equivalent to:
(never executes)
Yes, you are right. I was syntactically mistaken.
The question: Are those two snippets logically equivalent?
Posted: Tue Apr 03, 2007 11:14 am
by Oren
ngungo wrote:Oh! I am sorry. It should be:
Code: Select all
define ('NOTMYAPP', false); // this is in the main php (i.e. index.php)
if (NOTMYAPP) die("Hacking Attempt!!!"); // this is in .inc.php files
Then you will see a blank page (it won't die).
Posted: Tue Apr 03, 2007 11:19 am
by ngungo
Oren wrote:ngungo wrote:Oh! I am sorry. It should be:
Code: Select all
define ('NOTMYAPP', false); // this is in the main php (i.e. index.php)
if (NOTMYAPP) die("Hacking Attempt!!!"); // this is in .inc.php files
Then you will see a blank page (it won't die).
So they are equivalent?
Posted: Tue Apr 03, 2007 11:26 am
by Oren
Ok, here is a fast analyze that will clarify everything.
Analyze for:
Code: Select all
define ('MYAPP', true); // this is in the main php (i.e. index.php)
if (!defined('MYAPP')) die("Hacking Attempt!!!"); // this is in .inc.php files
===
===
Analyze for:
Code: Select all
define ('NOTMYAPP', false); // this is in the main php (i.e. index.php)
if (NOTMYAPP) die("Hacking Attempt!!!"); // this is in .inc.php files
===
P.S The above is true only in this specific context of course (i.e MYAPP was defined in the first piece of code).
Posted: Tue Apr 03, 2007 11:33 am
by ngungo
How about if a hacker tried to load .inc.php alone without going through main .php file, other words, MYAPP (same as NOTMYAPP) is not defined? Will they both die because the condition would be true in both cases?
Posted: Tue Apr 03, 2007 11:36 am
by ngungo
Or put it precisely, these two are equivalent:
Code: Select all
if (!defined('MYAPP')) die("Hacking Attempt!!!"); // this is in .inc.php files
Code: Select all
if (NOTMYAPP) die("Hacking Attempt!!!"); // this is in .inc.php files
Posted: Tue Apr 03, 2007 11:43 am
by Xoligy
Yes but you're relying on PHP to convert the constant to a string and will generate a warning. There's no logical advantage of doing it that way and in fact you're relying on PHP's forgiving nature.
Posted: Tue Apr 03, 2007 11:52 am
by ngungo
Xoligy wrote:Yes but you're relying on PHP to convert the constant to a string and will generate a warning. There's no logical advantage of doing it that way and in fact you're relying on PHP's forgiving nature.
Very well put. Thanks!
Posted: Tue Apr 03, 2007 2:25 pm
by Oren
ngungo wrote:How about if a hacker tried to load .inc.php alone without going through main .php file, other words, MYAPP (same as NOTMYAPP) is not defined? Will they both die because the condition would be true in both cases?
Sorry, but that's not what I said. All I said was, that after reduction, both are equal to
if (false) - and therefore will never execute.
Note that if you use .inc files, this whole thing is useless since the server will show you the plain text content of the .inc file and it won't be parsed as PHP (with default server configuration) unless included withing a PHP file.
Posted: Tue Apr 03, 2007 2:31 pm
by Oren
Xoligy wrote:Yes but you're relying on PHP to convert the constant to a string and will generate a warning. There's no logical advantage of doing it that way and in fact you're relying on PHP's forgiving nature.
What the hell are you talking about pal? the constant holds a boolean value - not a string.
Posted: Tue Apr 03, 2007 2:41 pm
by ngungo
I think what Xoligy said was if a constant is not defined php would automatically convert it to a string that has the value of the name of the constant.