PHP Define security issues?

index.php:

define("included", true);

INCLUDED PAGES:

if (included !== true) header('HTTP/1.1 404 Not Found'); 

The purpose for the codes was to disallow access directly but allow it if included. I am not sure if this opens any risks. I am not allowed to override .htaccess so I am stuck with a PHP alt开发者_StackOverflowernative.

Any help would be much appreciated!

A sexier way is...

defined('included') OR exit;

That is, use the correct function (defined()) to see if a value is defined, and then exploit short circuit evaluation.

Also, you can probably just use an existing define rather than create one specifically, e.g. your bootstrap file may define something like...

define('DOCROOT', realpath(basename(__FILE__)));

...in which case you would be safe to use DOCROOT.

You should also be keeping any PHP files besides your bootstrap above your document root, and then ensuring your site is safe from directory traversal attacks :)

This is fine, but I would change it to:

if (!defined('included')) { 
    header('HTTP/1.1 404 Not Found'); 
    // actually make the request stop, since clients will not stop on 404 headers
    die(); 
}

cheers

How about just moving all the files that aren't supposed to be accessed directly to a directory outside of webserver's document root?

Usually you use a setup like you are doing, but perform a die or exit to abort it, and not worry about redirecting. Even if they know the file exists, it's useless if you can't access the contents.

common.php (or your index.php, depending your setup)

<?php
  define('IN_PAGE',true);
  ...
?>

include_file.php

<?php
  defined('IN_PAGE') or die('Unallowed access'); // or header('HTTP/1.0 404 Not Found'); exit;
  ...
?>

A simpler method is:

<?php
   @runtime_presence();

Which leads to a fatal error if the function stub wasn't centrally defined before. (Header redirecting and a pretty error message are not useful as security measure.)