Checking a constant for security reason_问答_开发者

开发者 https://www.devze.com 2023-04-12 22:17 出处：网络

Some applications use this code as FIRST LINE on every page included by the index.php: if (!defined(\'SEC开发者_如何学PythonURE_CONST\')) { die(\"Access denied!\"); }

相关专题：php security

Some applications use this code as FIRST LINE on every page included by the index.php:

if (!defined('SEC开发者_如何学PythonURE_CONST')) { die("Access denied!"); }

Why do they need to use this? Is it necessary for security? If yes, how can I use it properly?

It's done to ensure that the files are not executed directly. For example:

`/index.php`

<?php
  define('SECURE_CONST', 1);
  include 'include_me.php';
?>

`/include_me.php`

<?php
  if (!defined('SECURE_CONST')) { die("Access denied!"); }
?>

Then, if http://example.com/index.php is requested SECURE_CONST will be defined and so die() will not be invoked when include_me.php is included. However, if http://example.com/include_me.php is requested directly, SECURE_CONST is never defined and so the script bails.

If your web server is configured securely--i.e. files not intended to be accessed directly are outside the web root or in a directory made inaccessible by e.g. .htaccess--this should be unnecessary. Developers who use "security" measures like this probably do so because they assume, rightly, that many people using their software will not take the time to understand the security issues and configure their servers properly, and so use methods like this as a failsafe.

This is probably meant to protect against directly requesting files that are supposed to be used as included/required files only.

Usually, the constant is defined in, for example, your index.php:

index.php

<?php  
define('SECURE_CONST', true);  
require('someIncludeFile.php');

someIncludeFile.php

<?php
if (!defined('SECURE_CONST')) { die("Access denied!"); }
// the actual code starts here

My guess would be that this is supposed to prevent loading a page without going through index.php, which defines SECURE_CONST and does other permission checking etc. at that time. So having SECURE_CONST defined means the request went through index.php which should mean all permission related things are taken care of and hence the request is "trustable".

This would be much better handled by properly structuring the application/file layout though and making sure that all requests go through certain steps by handling requests properly. For example, rewriting all requests to invoke a front controller that handles requests. Being defensive at every turn in the application is fighting an uphill battle, introduces unnecessary code and can lead to security holes if this line is forgotten.

If it's only possible for this constant to be defined when you've executed a certain bit of code, for instance a successful login script, then all of those pages will know that you've logged in or otherwise caused execution of that code.

That answers the second part of your question too. The user has to cause a certain piece of code, containing the constant declaration, to execute before those pages will work.

Pretty good but I had a different approach, look at my code below.

file_that_needs_security.php

<?php

    defined("START") || (header("HTTP/1.1 403 Forbidden") & die("403.14 - Directory listing denied."));

?>

then to check it: index.php

<?php

    // Main stuff here
    defined("START") ? null : define("START", microtime());
    include "file_that_needs_security.php";

    echo "Works Fine!!!";

?>

so when you go to file_that_needs_security.php it will output: