Security control logic

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

ngungo
Forum Commoner
Posts: 75
Joined: Thu Jun 08, 2006 10:45 pm

Security control logic

Post by ngungo »

There is some exclusion practice for include files such as:

Code: Select all

define ('MYAPP', true);                           // this is in the main php (i.e. index.php)
if (!defined('MYAPP')) die("Hacking Attempt!!!"); // this is in .inc.php files
 
My question: Is the above snippet logically equivalent to:

Code: Select all

define ('NOTMYAPP', false);                // this is in the main php (i.e. index.php)
if (NOTMYAPP) die("Hacking Attempt!!!"); // this is in .inc.php files
 

edit: correcting the second if condition from 'NOTMYAPP' to NOTMYAPP (without single quotes).
Last edited by ngungo on Sat Aug 02, 2008 10:50 pm, edited 2 times in total.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Nope. Your second snippet is using a string. Non-empty strings are considered true and will therefore execute your die() call.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

You probably meant to this:

Code: Select all

if (NOTMYAPP)
(no single quotes)


Which is equivalent to:

Code: Select all

if (false)
(never executes)
ngungo
Forum Commoner
Posts: 75
Joined: Thu Jun 08, 2006 10:45 pm

Post by ngungo »

Oh! I am sorry. It should be:

Code: Select all

define ('NOTMYAPP', false);              // this is in the main php (i.e. index.php)
if (NOTMYAPP) die("Hacking Attempt!!!"); // this is in .inc.php files
ngungo
Forum Commoner
Posts: 75
Joined: Thu Jun 08, 2006 10:45 pm

Post by ngungo »

Oren wrote:You probably meant to this:

Code: Select all

if (NOTMYAPP)
(no single quotes)


Which is equivalent to:

Code: Select all

if (false)
(never executes)
Yes, you are right. I was syntactically mistaken.
The question: Are those two snippets logically equivalent?
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

ngungo wrote:Oh! I am sorry. It should be:

Code: Select all

define ('NOTMYAPP', false);              // this is in the main php (i.e. index.php)
if (NOTMYAPP) die("Hacking Attempt!!!"); // this is in .inc.php files
Then you will see a blank page (it won't die).
ngungo
Forum Commoner
Posts: 75
Joined: Thu Jun 08, 2006 10:45 pm

Post by ngungo »

Oren wrote:
ngungo wrote:Oh! I am sorry. It should be:

Code: Select all

define ('NOTMYAPP', false);              // this is in the main php (i.e. index.php)
if (NOTMYAPP) die("Hacking Attempt!!!"); // this is in .inc.php files
Then you will see a blank page (it won't die).
So they are equivalent?
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

Ok, here is a fast analyze that will clarify everything.

Analyze for:

Code: Select all

define ('MYAPP', true);                           // this is in the main php (i.e. index.php)
if (!defined('MYAPP')) die("Hacking Attempt!!!"); // this is in .inc.php files 

Code: Select all

if (!defined('MYAPP'))
===

Code: Select all

if (!true)
===

Code: Select all

if (false)

Analyze for:

Code: Select all

define ('NOTMYAPP', false);              // this is in the main php (i.e. index.php)
if (NOTMYAPP) die("Hacking Attempt!!!"); // this is in .inc.php files

Code: Select all

if (NOTMYAPP)
===

Code: Select all

if (false)
P.S The above is true only in this specific context of course (i.e MYAPP was defined in the first piece of code).
ngungo
Forum Commoner
Posts: 75
Joined: Thu Jun 08, 2006 10:45 pm

Post by ngungo »

How about if a hacker tried to load .inc.php alone without going through main .php file, other words, MYAPP (same as NOTMYAPP) is not defined? Will they both die because the condition would be true in both cases?
ngungo
Forum Commoner
Posts: 75
Joined: Thu Jun 08, 2006 10:45 pm

Post by ngungo »

Or put it precisely, these two are equivalent:

Code: Select all

if (!defined('MYAPP')) die("Hacking Attempt!!!"); // this is in .inc.php files 

Code: Select all

if (NOTMYAPP) die("Hacking Attempt!!!"); // this is in .inc.php files
Xoligy
Forum Commoner
Posts: 53
Joined: Sun Mar 04, 2007 5:35 am

Post by Xoligy »

Yes but you're relying on PHP to convert the constant to a string and will generate a warning. There's no logical advantage of doing it that way and in fact you're relying on PHP's forgiving nature.
ngungo
Forum Commoner
Posts: 75
Joined: Thu Jun 08, 2006 10:45 pm

Post by ngungo »

Xoligy wrote:Yes but you're relying on PHP to convert the constant to a string and will generate a warning. There's no logical advantage of doing it that way and in fact you're relying on PHP's forgiving nature.
Very well put. Thanks!
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

ngungo wrote:How about if a hacker tried to load .inc.php alone without going through main .php file, other words, MYAPP (same as NOTMYAPP) is not defined? Will they both die because the condition would be true in both cases?
Sorry, but that's not what I said. All I said was, that after reduction, both are equal to if (false) - and therefore will never execute.

Note that if you use .inc files, this whole thing is useless since the server will show you the plain text content of the .inc file and it won't be parsed as PHP (with default server configuration) unless included withing a PHP file.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

Xoligy wrote:Yes but you're relying on PHP to convert the constant to a string and will generate a warning. There's no logical advantage of doing it that way and in fact you're relying on PHP's forgiving nature.
What the hell are you talking about pal? the constant holds a boolean value - not a string.
ngungo
Forum Commoner
Posts: 75
Joined: Thu Jun 08, 2006 10:45 pm

Post by ngungo »

I think what Xoligy said was if a constant is not defined php would automatically convert it to a string that has the value of the name of the constant.
Post Reply