5 replies to this topic

[TcM]

I believe a lot on OOP because it makes life easier.. so, in PHP (for my latest project) I decided to make a functions.php and make every function there and then in the actual page I will only call a couple functions and the page will be properly displayed with all the components I want in it and with a simple call I can whatever component I want in whatever page I want.. but does this luxury come as a security threat?

for example the admin login process (which even if some ******* makes an SQL injection he will not be able to login still, because he will need something else) I made everything (nearly) hardcoded in the admin file it's self.. is that more secure or it would not make a difference if I had to code that as a function in functions.php

Thanks.

[BlaineSch]

Including a functions.php poses no security threats in my head. Since even if they do find it (which can be avoided by sticking it below home_dir or public_html) when they run it they will only get a blank page and since they cant do anything with the page because no get or post data will do anything to it I do not think it poses any problems.

I once found a dbconnect.php file I could access and couldn't do much with it.

[John]

What I see a lot of people do in this situation is define a constant and make sure it is defined before allowing functions.php to execute.

index.php

define("INCLUDE", 1);
require_once("functions.php");
...

functions.php

if(!defined('INCLUDE')) die();

function my_function() {
    ...
}
...

That way, if anyone tries to access the file directly, "INCLUDE" won't be defined and therefore will die. It also hinder a hacker if you have any RFI vulnerability (until they realize they need to define a constant).

[G33k]

John said:

What I see a lot of people do in this situation is define a constant and make sure it is defined before allowing functions.php to execute.

index.php

define("INCLUDE", 1);
require_once("functions.php");
...

functions.php

if(!defined('INCLUDE')) die();

function my_function() {
    ...
}
...

That way, if anyone tries to access the file directly, "INCLUDE" won't be defined and therefore will die. It also hinder a hacker if you have any RFI vulnerability (until they realize they need to define a constant).

What is the point to do like this? If someone accesses my functions.php they won't be able to do smth, they will get just blank page.

[TcM]

What does the define and require_once do?

I am just doing like this:

include 'functions.php';

[Orjan]

require_once has two purposes.

1) require instead of include makes a fatal error if the file to be included does not exist
2) _once has the ability to check whether the file already have been included before, and if so, it's not re-included

the four includation functions in php are:

include
require
include_once
require_once