PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sat Jun 23, 2018 9:10 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 13 posts ] 
Author Message
PostPosted: Thu Feb 27, 2014 9:21 am 
Offline
Forum Contributor

Joined: Wed Sep 25, 2013 4:09 am
Posts: 172
Hi I have a file functions.php that contains...functions
One function is Securelogin() that checks if the user is logged in.

My page consist of the following files
Header.php
Menu.php
Footer.php
Index.php
and some other files

Now my code in the Index.php is like the following:
blah blah
include 'functions.php';
blah blah
Securelogin();
Check if user == Logged in { //else bugg off
<div id=container>
include ' Header.php'
include 'Menu.php'
include 'Footer.php'
<div>

So if I want to protect the content in my header, footer, menu .php (which I want) I start the page with something like
Header.php
Securelogin();
check if user == Logged in {
echo 'Hi Im a lame header';
}

So the function in the header works if the header is loaded through index.php (since the index.php include the function.php that contains Securelogin() )
I know I should add include function.php to the header file but my qusetion is:

Now if I just try to copy paste the link directly to header.php I get an error and the Header.php is not displayed. This is ofcourse due to I'm calling a function that is not defined since i didnt include it.

Do I have to include functions.php in the headerfile or is it just as secure without the include since the page "crashes" without the include or is there a way to display the code when a page crashes... The browser says something like the file is not found or may contain an error...

My guess is that on my current server both options are both secure but by crashing the page I'm reliant upon a good serverconfiguration so the best practice is to do the include even in the headerfile since I can export the page to a different server with perhaps other settings and still maintain security.

So what do You guys say?

Also if I use include in index.php and then include the same file in header, menu and footer will it load the file 4 times (using up memory) or will it skip the include if the file is already included before... or should i use include once.. I heard include is faster than include once (not that I guess I will notice any difference in my application but which is the best practice? Include in index and include once in header menu and footer or include once in the index too...?

Thanks for taking time to answer this noob :)


Top
 Profile  
 
PostPosted: Thu Feb 27, 2014 9:48 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
There's always include_once ...

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
PostPosted: Thu Feb 27, 2014 10:06 am 
Offline
Forum Contributor

Joined: Wed Sep 25, 2013 4:09 am
Posts: 172
^^ Yes I know but that wasn't the answer to the question(s) :)


Top
 Profile  
 
PostPosted: Thu Feb 27, 2014 10:13 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
I don't see why something like this wouldn't work.
Syntax: [ Download ] [ Hide ]
<?php

include_once 'functions.php';

$logged_in = checkLogin($user);
if ($logged_in === false) {
        header('Location: login.php');
        exit;
}

include_once 'header.php';
etc.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
PostPosted: Thu Feb 27, 2014 10:28 am 
Offline
Forum Contributor

Joined: Wed Sep 25, 2013 4:09 am
Posts: 172
because I want to protect all files.. that is index.php...header.php.. In your example if you type http://mysite/header.php it would display the header.php. thats why i need the checklogin on both index.php and header.php...

My question was since I include the functions.php within the index.php if I only use the checklogin() function in header.php (without any includes inside header.php) the checklogin() function will only work if I load headerphp through index.php (since index include the function lib). if I try copy the url for header.php it will crash since i then call a function that doesnt exist (since it is not included inside header.php)... in both cases (if I use include functions.php within header.php or not use include) the result is I wont be able to access header php directly.. if i use the include the header.php is "safe" due to my checklogincode and if i dont include i wont be able to access it since the page crash because it call an undefined function...

are both ways equally secure? (I assume the crash option is less secure because it is dependant on correct server config)

Is include and include_once equally fast (I heard include_once is slower).


Top
 Profile  
 
PostPosted: Thu Feb 27, 2014 10:38 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
You could define a constant inside functions.php (or anywhere, really) and check inside header.php whether it is defined.

functions.php
Syntax: [ Download ] [ Hide ]
...
define('FUNCTIONS_LOADED', true);


index.php as above

header.php
Syntax: [ Download ] [ Hide ]
<?php defined('FUNCTIONS_LOADED') or die();

or something to that effect.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
PostPosted: Thu Feb 27, 2014 10:43 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
hybris wrote:
Is include and include_once equally fast (I heard include_once is slower).

Of course it's going to be slower. It has to first check if the file has already been included. The speed difference is negligible, though, and not worth worrying about.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
PostPosted: Thu Feb 27, 2014 10:48 am 
Offline
Forum Contributor

Joined: Wed Sep 25, 2013 4:09 am
Posts: 172
Ok thanks :)


Top
 Profile  
 
PostPosted: Thu Feb 27, 2014 4:39 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13564
Location: New York, NY, US
It would probably make more sense to invert your design and have all the code above in you central template and have it include the content -- instead of what it is doing now. If you did that then everthing would always be included. Then add a security setting/call on the pages that need it.

Also, research Front Controller.

_________________
(#10850)


Top
 Profile  
 
PostPosted: Thu Feb 27, 2014 5:13 pm 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
I agree that would definitely be a much better approach. It is, however, also a considerable amount of work.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
PostPosted: Fri Feb 28, 2014 2:53 am 
Offline
Forum Contributor

Joined: Wed Sep 25, 2013 4:09 am
Posts: 172
Ok thanks guys,

I did manage to get a (for me quite complex) site up when learning the basics of php - db programming.. Ugly code but it does the job.
Now I wanted to learn more about best practice and OO so I thought a start would be to do a header and footer .php which is like a semi-oo since I can reuse the header and footer easily on every page.

However last night I was thinking about some better way to solve the problem and came up with the best for me would probably be to create a webpage class where i define the header/footer/menu and then use a variable to input the content of that page to the class...

Im sorry Im not that good in expressing myself in english.. but I thought something like this $a = new webpage('Hello world'); and it would display a page with header, footer, menu and in the content field of that page would say hello world... so perhaps I could bake in the security check in the class and also add it as a variable to the class to set if the page is pw protected or not..like $a = new webpage('Hello world', 's'); where s = secure page...

I think this would be the best way for me to go...

BUT I still did not recieve an answer to one of my questions..not that it matters for the developement of my new page but im still curious:
About the include part.. if I include functions.php (that contain securelogin()) in the header.php where I call the function I will not be able to access header.php without beeing logged if i write the url directly in my browser http://my-site/header.php so that works as expected. However if I do not include functions.php inside header.php but still call the function (since in my index.php I do the include so it works as intended if header.php is called from index.php). Anyway even if I do not include the function.php I still cannot (on the webhotel i use atm) access the file header.php directly from my browser since within header.php im calling an unknown function if I dont load header.php from index.php(that contains the include). The result is the browser says the page header.php doesnt exist or contains an error. <- this is also fine since my goal is you should not be able to display header.php by linking to it directly unless you are logged in (have a server session).

So I have 2 cases:
1) I use include functions in header.php -> my loginscript controls if the user can see the page or not.
2) I dont use include in header.php -> noone can access the page directly since the page "crashes" unless it is loaded from index.php.

I understand option 1 is better since then security of the page is controlled by me and my scripts so even though i port the page to a new server with different security settings the page would function as expected. However on the server Im currently using it seems to me (because the server seem to have good security settings) I cannot access the contents of the crashed page... is there any way (for a hacker) to retreive the code in this case that I didnt think about when the page crash or cant I go around the server answer that simply says the page contain an error or does not exist? I assume that if I port to a new server with wrong security settings (like display error reporting=on) the server might not redirect the user to a page that says original page doesn't exist or contain error but instead display the code and says "<code here> hey..on line 3 you are calling a funtion that doesn't exist".

I'm just trying to get a better understanding of websecurity ^^ in general since my longterm goal is to be able to create a website that can contain sensitive business information with a reasonable security (I know its almost impossible to quarantee 100% security.. like NSA will probably still be able to hack the site but the script kiddie that works for our competitors will not).

Thank You for taking time to educate me :)


Top
 Profile  
 
PostPosted: Fri Feb 28, 2014 6:58 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
hybris wrote:
BUT I still did not recieve an answer to one of my questions..not that it matters for the developement of my new page but im still curious:
About the include part.. if I include functions.php (that contain securelogin()) in the header.php where I call the function I will not be able to access header.php without beeing logged if i write the url directly in my browser http://my-site/header.php so that works as expected.

I already gave you a workaround for that. Neither approach is foolproof or 'best'; if you don't want something to be accessible, don't put it in the document root.

Your OO idea is a much better approach and will make the above point moot anyhow. I think you will find, however, that a simple webpage class is insufficient. I'd recommend downloading a framework and taking a look at how their code is structured. This will both provide you a platform on which to clean up your existing site as well as a great resource for learning.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
PostPosted: Fri Feb 28, 2014 8:51 am 
Offline
Forum Contributor

Joined: Wed Sep 25, 2013 4:09 am
Posts: 172
Ok,

thanks guys for taking time and answer me. I really appreciate it.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 13 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group