Geek Answers Handbook

Php - Website Security Using a Global Variable

I recently looked through some php source code, specifically forum software like phpbb and esotalk

I noticed one thing: most of them used the global variable at the beginning of their page as some protection, for example:

if (!defined("IN_ESOTALK")) exit; //For esotalk if (!defined("IN_PHPBB")) exit; //FOR phpbb

What kind of security is this? I do not understand. Could you explain to me that this interferes and how?

thanks, Vidh

+6
source share
3 answers

it works by making sure the php script does not start until the environment is running. Thus, the user cannot execute the script without going to the corresponding page.

Here is an example. We have 2 files:

index.php

 <?php define("_MY_FRAMEWORK", 1); echo 'started'; require('script.php'); ?>

and script.php

 <?php if (!defined("_MY_FRAMEWORK")) exit; echo "my script"; ?>

If you run script.php directly, nothing will happen because _MY_FRAMEWORK is undefined. he will come out.

However, if you run index.php, which includes script.php, the script will continue because you first defined _MY_FRAMEWORK . You will get the full output: started , and then my script .

@Gumbo makes a good point: if you have not seen define before, it defines a constant that cannot be changed. User contributions to PHP documentation can be helpful in understanding how this works.

+7
source

It also prevents variable manipulation with register_globals.

If register_globals is included in php.ini, users can change the variables in the script by changing the variable in the URL, but this will not allow them to change the value of the constant variables that were defined using the function definition

+1
source

These are global constants. In doing so they make sure that their software works as it is intended.

+1
source

More articles:


All Articles