include security

[aps]

Apologies...multiple questions here...
I've noticed that some PHP coders put a routine at the top of their code that is used in an include, which validates whether a variable has been defined, and if it isn't stops processing.
Example, in main.php they will write define('IN_APP',true); they may then have an include such as include('include_file.php').
Then at the beginning of 'include_file.php' they might have...

Code: Select all

if ( !defined('IN_APP') )
{
   die("Hacking attempt");
}


Why is this important? Is this a common practice, and one I should be incorporating each time I use an include?

Lastly, should my include files all have php extensions? I had written some that I saved as txt files (even though I knew they had php code in them). My thinking was that I didn't want them to execute unless they were part of (i.e. included from) a php page.

Way sorry for the length and multipart nature of the question.

Many thanks in advance!
-APS

[gesf]

That's just a security precaution.
It's very useful for shared hosts to prevent other users to access your files. It's also a great idea to prevent people to break your code ($variables) through URL.

Cheers

[bokehman]

Not only should you use the php extension, you should also store your included files in a non-public directory.

[ruturajv]

if i'm not mistaken that bit of code is from phpBB codes right ?

You'll have to go through all the code to really understand... that...

[Alexei Kubarev]

hi guys, if you need to understand the phpbb code: ask me i had to go through it to understand where to make those changes most of you know about

and you dont need to go through the whole code

its simple

you request a page index.php:

Code: Select all

<?
define('IN_APP', true);
//Some more code here
?>

and then include some files: if you call thoser files directly you will get a hacking attempt as in_app is not defined

[victor123]

Hi,

My approach would be to store connection information as well as other sensible info in files outside of the document root. Thus it will not be possible to have them served via http. I would also not use .php extensions for them. See http://phpsec.org/projects/guide/3.html, it is quite helpful.

Regards.

[bokehman]

sensible info

You mean sensitive! I knew you were spanish as soon as I read that. My wife makes that mistake too and she's madrileña.

[Alexei Kubarev]

if you have configured your server correctly: it will not be any problem as it will not be possible to see the source of your config file

[victor123]

Hahahaha... well, bokehman give her my best regards, i am also madrileño... i guess there are mistakes that are very common for people that share the same language...

Cheers.