Security control logic

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

Well, if that's what he meant, then he was right.
That's what you meant Xoligy? If so, then I'm sorry.

Anyway, this whole discussion is pointless, since as I said, .ini files are not parsed as PHP when they are called directly :P
ngungo
Forum Commoner
Posts: 75
Joined: Thu Jun 08, 2006 10:45 pm

Post by ngungo »

Oren wrote: Anyway, this whole discussion is pointless, since as I said, .ini files are not parsed as PHP when they are called directly :P
Not exactly, I said .inc.php not .inc alone.




The point I wanted to make but not sure if it was correct was:

Code: Select all

define ('NOTMYAPP', false);              // this is in the main php (i.e. index.php)
if (NOTMYAPP) die("Hacking Attempt!!!"); // this is in .inc.php files
looks more comprehensible.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

ngungo wrote:Not exactly, I said .inc.php not .inc alone.
Damn... I'm sorry, I read too fast I guess.

Anyway, just do it like this:

Code: Select all

define ('IN_APP', true);              // this is in the main php (i.e. index.php)
if (!defined(IN_APP)) die("Hacking Attempt!!!"); // this is in .inc.php files 
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Code: Select all

if (!defined('IN_APP') or constant('IN_APP') !== 'some expected value')
{
  die();
}
avoids the warnings that may fire.
ngungo
Forum Commoner
Posts: 75
Joined: Thu Jun 08, 2006 10:45 pm

Post by ngungo »

feyd wrote:

Code: Select all

if (!defined('IN_APP') or constant('IN_APP') !== 'some expected value')
{
  die();
}
avoids the warnings that may fire.
you mean ||
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

no, I mean "or"

Both || and "or" are valid in this context however. Yes, "or" is a real keyword in PHP.
ngungo
Forum Commoner
Posts: 75
Joined: Thu Jun 08, 2006 10:45 pm

Post by ngungo »

Thanks! I did not know that. Newbie :)
fastfingertips
Forum Contributor
Posts: 242
Joined: Sun Dec 28, 2003 1:40 am
Contact:

Post by fastfingertips »

I don't understand why don't you store the include files in a location that is not public? And include that path from htaccess of using ini_set?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

That doesn't really protected them at the source level.
ngungo
Forum Commoner
Posts: 75
Joined: Thu Jun 08, 2006 10:45 pm

Post by ngungo »

feyd,

Do you have a word of wisdom about how to do include, require files? What is the best practice to keep it secured and source code leak proof?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Consistency in prevention and protection in how your scripts are interacted with. Minimizing the number of scripts the user is allowed to interact with directly can help by forcing them through a wedge. Active monitoring of the (dedicated) server is another. Always getting the latest security patches (at least) for all packages used is important too.

Vigilance is the key.
ngungo
Forum Commoner
Posts: 75
Joined: Thu Jun 08, 2006 10:45 pm

Post by ngungo »

Thanks!

btw: 蜘龍 - I look it up, it is very nice.
Post Reply