Checking a constant for security reason
Some applications use this code as FIRST LINE on every page included by the index.php:
if (!defined('SEC开发者_如何学PythonURE_CONST')) { die("Access denied!"); }
Why do they need to use this? Is it necessary for security? If yes, how can I use it properly?
It's done to ensure that the files are not executed directly. For example:
/index.php
<?php
define('SECURE_CONST', 1);
include 'include_me.php';
?>
/include_me.php
<?php
if (!defined('SECURE_CONST')) { die("Access denied!"); }
?>
Then, if http://example.com/index.php
is requested SECURE_CONST
will be defined and so die()
will not be invoked when include_me.php
is included. However, if http://example.com/include_me.php
is requested directly, SECURE_CONST
is never defined and so the script bails.
If your web server is configured securely--i.e. files not intended to be accessed directly are outside the web root or in a directory made inaccessible by e.g. .htaccess
--this should be unnecessary. Developers who use "security" measures like this probably do so because they assume, rightly, that many people using their software will not take the time to understand the security issues and configure their servers properly, and so use methods like this as a failsafe.
This is probably meant to protect against directly requesting files that are supposed to be used as included/required files only.
Usually, the constant is defined in, for example, your index.php
:
index.php
<?php
define('SECURE_CONST', true);
require('someIncludeFile.php');
someIncludeFile.php
<?php
if (!defined('SECURE_CONST')) { die("Access denied!"); }
// the actual code starts here
My guess would be that this is supposed to prevent loading a page without going through index.php
, which defines SECURE_CONST
and does other permission checking etc. at that time. So having SECURE_CONST
defined means the request went through index.php
which should mean all permission related things are taken care of and hence the request is "trustable".
This would be much better handled by properly structuring the application/file layout though and making sure that all requests go through certain steps by handling requests properly. For example, rewriting all requests to invoke a front controller that handles requests. Being defensive at every turn in the application is fighting an uphill battle, introduces unnecessary code and can lead to security holes if this line is forgotten.
If it's only possible for this constant to be defined when you've executed a certain bit of code, for instance a successful login script, then all of those pages will know that you've logged in or otherwise caused execution of that code.
That answers the second part of your question too. The user has to cause a certain piece of code, containing the constant declaration, to execute before those pages will work.
Pretty good but I had a different approach, look at my code below.
file_that_needs_security.php
<?php
defined("START") || (header("HTTP/1.1 403 Forbidden") & die("403.14 - Directory listing denied."));
?>
then to check it: index.php
<?php
// Main stuff here
defined("START") ? null : define("START", microtime());
include "file_that_needs_security.php";
echo "Works Fine!!!";
?>
so when you go to file_that_needs_security.php
it will output:
403.14 - Directory listing denied.
But when you go to index.php
it will output:
Works Fine!!!
精彩评论