Board index   FAQ   Search  
Register  Login
Board index php forum :: PHP and MySQL Security PHP & MySQL Security

include security

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

include security

Postby aps » Fri Nov 05, 2004 3:11 am

Apologies...multiple questions here...
I've noticed that some PHP coders put a routine at the top of their code that is used in an include, which validates whether a variable has been defined, and if it isn't stops processing.
Example, in main.php they will write define('IN_APP',true); they may then have an include such as include('include_file.php').
Then at the beginning of 'include_file.php' they might have...
Code: Select all
if ( !defined('IN_APP') )
{
   die("Hacking attempt");
}

Why is this important? Is this a common practice, and one I should be incorporating each time I use an include?

Lastly, should my include files all have php extensions? I had written some that I saved as txt files (even though I knew they had php code in them). My thinking was that I didn't want them to execute unless they were part of (i.e. included from) a php page.

Way sorry for the length and multipart nature of the question.

Many thanks in advance!
-APS
aps
New php-forum User
New php-forum User
 
Posts: 4
Joined: Thu Nov 04, 2004 2:55 pm

Postby gesf » Fri Nov 05, 2004 5:50 am

That's just a security precaution.
It's very useful for shared hosts to prevent other users to access your files. It's also a great idea to prevent people to break your code ($variables) through URL.

Cheers
User avatar
gesf
Moderator
Moderator
 
Posts: 1718
Joined: Sun Dec 29, 2002 5:03 am
Location: Portugal / Sweden

Postby bokehman » Mon May 30, 2005 5:44 am

Not only should you use the php extension, you should also store your included files in a non-public directory.
bokehman
New php-forum User
New php-forum User
 
Posts: 3
Joined: Mon May 30, 2005 5:41 am

Postby ruturajv » Mon May 30, 2005 7:44 pm

if i'm not mistaken that bit of code is from phpBB codes right ?

You'll have to go through all the code to really understand... that...
User avatar
ruturajv
php-forum Super User
php-forum Super User
 
Posts: 1280
Joined: Sat Mar 22, 2003 9:42 am
Location: Mumbai, India

Postby Alexej Kubarev » Tue May 31, 2005 1:11 am

hi guys, if you need to understand the phpbb code: ask me :D i had to go through it to understand where to make those changes most of you know about :)

and you dont need to go through the whole code :)

its simple :D

you request a page index.php:
Code: Select all
<?
define('IN_APP', true);
//Some more code here
?>


and then include some files: if you call thoser files directly you will get a hacking attempt as in_app is not defined :)
User avatar
Alexej Kubarev
Site Admin
Site Admin
 
Posts: 2223
Joined: Fri Mar 05, 2004 7:15 am
Location: Täby, Stockholms län

Postby victor123 » Tue May 31, 2005 3:04 am

Hi,

My approach would be to store connection information as well as other sensible info in files outside of the document root. Thus it will not be possible to have them served via http. I would also not use .php extensions for them. See http://phpsec.org/projects/guide/3.html, it is quite helpful.

Regards.
victor123
New php-forum User
New php-forum User
 
Posts: 192
Joined: Mon Sep 06, 2004 1:23 am
Location: Madrid, Spain

Postby bokehman » Tue May 31, 2005 3:14 am

victor123 wrote:sensible info
You mean sensitive! I knew you were spanish as soon as I read that. My wife makes that mistake too and she's madrileña.
bokehman
New php-forum User
New php-forum User
 
Posts: 3
Joined: Mon May 30, 2005 5:41 am

Postby Alexej Kubarev » Tue May 31, 2005 3:19 am

if you have configured your server correctly: it will not be any problem as it will not be possible to see the source of your config file
User avatar
Alexej Kubarev
Site Admin
Site Admin
 
Posts: 2223
Joined: Fri Mar 05, 2004 7:15 am
Location: Täby, Stockholms län

Postby victor123 » Tue May 31, 2005 9:23 am

Hahahaha... well, bokehman give her my best regards, i am also madrileño... i guess there are mistakes that are very common for people that share the same language...

Cheers.
victor123
New php-forum User
New php-forum User
 
Posts: 192
Joined: Mon Sep 06, 2004 1:23 am
Location: Madrid, Spain


Return to PHP & MySQL Security

Who is online

Users browsing this forum: No registered users and 0 guests

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.

cron