3

I have been inspecting some PHP source codes and I more often than not find files starting with

defined('__someconstant__') or exit();

I know that this prevents the file to be accessed directly if a previous file defining __someconstant__, but then I wonder if this is really necessary... Isn't there (even non-PHP based) a cleaner way of doing it without introducing this extra code in every file?

Improve this question

3 Answers 3

Reset to default
4

Isn't there (even non-PHP based) a cleaner way of doing it without introducing this extra code in every file?

Presence of such snippets indicate bad code structuring, namely code automatically executing in global scope. You shouldn't have this or exit(); code in pure function/class includes. It would be redundant there.

Code that does perform potentially dangerous actions shoult not be web-accessible in the first place. The or exit; approach is a workaround. It should always be accompanied by a FilesMatch and Deny from All in a .htaccess file however. Best set the whole include directory inaccessible.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

.htaccess is web-server dependent, this isn't.
Yes. But most other servers should have a feature for that too, if nothing else but a global config. Nanoweb has .nwaccess and nginx some mini scripting language e.g. With a suphp/suexec setup you could just resort to directory permissions.
4

To avoid those (useless) lines at the top of (nearly) each file, your could:

  • Store a public "controller" file (like index.php in a directory called web or public on which your web server's alias or virtual host points to

  • Store in other directories like lib, config, apps... all the files that should not be directly accessed through the webserver by simply typing an URL.

This is typically the structure of existing frameworks such as Symfony 1.x

Additionally you can (and certainly will, for URL rewrites) put a .htaccess file, but a server misconfiguration can incidentally disable it, so keeping source files in distinct directories is IMO better.

Improve this answer

3 Comments

I'm suprised your the only one that mentioned the most secure way of preventing direct access to your files, i.e., don't put them in the document root!
@JohnCartwright Yes, but this requires additional configuration. Also this might not be an option available to everyone, especially to many people using shared hosting.
@NullUserExceptionఠ_ఠ when using aliases or virtual hosts, the configuration difficulty is the same (just point to {projectroot}/web instead of {projectroot}). However you're right, this won't be suitable for shared hosting with too few configuration options. But if you don't want to take too much risks (security, source code privacy, outage...), shared hosting might not be an option.
2

Adding to @NullUserException's answer...

Yes there are other ways of preventing a file from being accessed directly (.htaccess being one), but for software that is shared with a wide audience, you can't really rely on those technologies being there. You can rely on a simple condition at the top of the files though.

Improve this answer

1 Comment

regardless of all other answers and comments on this thread... this is the simplest and best answer to "a cleaner way"... because .htaccess (or other access config) may be stronger but it requires coordinating various (possibly personalized) server configs with code from various sources (great if you have the ability and access!)... defined() || exit provides the most direct... simplest/cleanest... and RELIABLE solution

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.