/    Sign up×
Community /Pin to ProfileBookmark

PHP = oh noes security

Copy linkTweet thisAlerts:
Aug 30.2004

I had a few questions about how to lock down a site, since as far as I can tell, mine is currently wide open.

One of my include files declares a couple important global variables such as the database access string and so on. I put a check with defined() at the top so that each script including it needs to define a constant first…

But if someone found the PHP file and figured out how to fool the define-thing, wouldn’t they have wide open access to my db? What other mechanisms exist for protecting a script from being ‘included’ off-site?

to post a comment
PHP

4 Comments(s)

Copy linkTweet thisAlerts:
@ShrineDesignsAug 30.2004 — if another site includes that file into a page, it will only get the output (i.e. html) of that page, so, if the page doesn't output anything to the browser, it will get nothing in return, and none of the variables, classes, constants, etc. will be accessible from the remote site
Copy linkTweet thisAlerts:
@MstrBobAug 30.2004 — Of course, if you're concerned, want some peace of mind, and want to make your website friendly, you could always make your included pages like this:

[code=php]
<?PHP
if($_SERVER['REQUEST_URI']==$_SERVER['PHP_SELF'] || !defined('CONSTANT'))
{ header("Location: anotherpage.php"); } else {
// Perform Script
}
?>
[/code]
Copy linkTweet thisAlerts:
@sciguyryanAug 30.2004 — If your looking for security info look here:

http://forums.devshed.com/showthread.php?t=20525&page=1




RyanJ
Copy linkTweet thisAlerts:
@mikepurvisauthorAug 30.2004 — [i]Originally posted by ShrineDesigns [/i]

[B]if another site includes that file into a page, it will only get the output (i.e. html) of that page, so, if the page doesn't output anything to the browser, it will get nothing in return, and none of the variables, classes, constants, etc. will be accessible from the remote site [/B][/QUOTE]

Ah. I see.

(I only own one domain, so I don't have a way of testing these things...)
×

Success!

Help @mikepurvis spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.20,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...