Hacker Prevention

[maxudaskin]

In Joomla, they start the front page codes with

<?php
defined( '_JEXEC' ) or die( 'Restricted access' );
?>

 

How does this work if that is the first thing done?

 

Full code:

<!--Name: 			TJ Sublime-->
<!--URL:			http://sublime.themejoomla.com-->
<!--Copyright:		Theme Joomla-->
<!--URL:			http://www.themejoomla.com-->

<?php defined( '_JEXEC' ) or die( 'Restricted access' ); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php echo $this->language; ?>" lang="<?php echo $this->language; ?>" dir="<?php echo $this->direction; ?>" >
  <head>
    <jdoc:include type="head" />
<link href="<?php echo JURI::base(); ?>templates/<?php echo $this->template; ?>/images/favicon.ico" rel="shortcut icon" />
    <?php include("sublime.php");?> <!--calls all sublime specific code, CSS files and conditions-->
  </head>
<body>
<a id="corner" target="_blank" href="http://www.themejoomla.com">Support Joomla!</a>
<div class="site_wrap">
<div id="site_faux">
	<div id="left_area">
		<div id="header"></div>
		<div id="main_menu"><jdoc:include type="modules" name="user3" style="sublime" /></div>
		<div id="pathway">Navigation: <jdoc:include type="modules" name="breadcrumb" /></div>
		<div id="inset"><jdoc:include type="modules" name="inset" style="sublime" /></div>
		<div id="users">
			<div id="user_one"><jdoc:include type="modules" name="user1" style="sublime" /></div>
			<div id="user_two"><jdoc:include type="modules" name="user2" style="sublime" /></div>
		</div>
		<div id="content"><jdoc:include type="component" /></div>
	</div>
	<div id="right_area">
		<div id="right_wisp"></div>
		<div id="logo"></div>
		<div id="search"><jdoc:include type="modules" name="user4" style="sublime" /></div>
		<div id="side_modules"><jdoc:include type="modules" name="left" style="sublime" /></div>
	</div>
</div>
<div id="footer_faux">
	<div id="banner"><jdoc:include type="modules" name="user9" style="sublime" /></div>
	<div id="footer"><jdoc:include type="modules" name="footer" style="sublime" /></div>
</div>
    <div id="footer_spacer"></div>
</div>
<!--This is a link back to Theme Joomla, and is hidden, and will not effect your site-->
<div id="link_back"><h1><a href="http://www.themejoomla.com" target="_blank">Theme Joomla</a></h1></div>
</body>
</html>

[Naez]

Basically, its preventing you from accessing include pages directly.

 

for instance:

 

main.php

<?php
@define('IN_MAIN',true);
include('test.php');
// code goes here
?>

 

test.php

<?php
@defined('IN_MAIN') or die('Not in main');  
?>

 

If test.php is accessed directly, defined('IN_MAIN') would return false so the parser would skip to the die statement... much like when you see:

mysql_connect('','','') or die(mysql_error());

[maxudaskin]

What does @define('IN_MAIN',true); do?

[Naez]

It defines a constant.  Constants can only be scalar types.

 

http://www.php.net/manual/en/language.constants.php

[maxudaskin]

What does the @ do in that line?

[Naez]

Suppresses errors, and if you don't have it you usually won't see the die statement in most PHP installs (the script will still die regardless though).

[awpti]

Avoid using suppression. Handle your errors or let PHP display 'em.

 

@ symbols in code to suppress errors severely increase execution time.

[Naez]

Unfortunately you are wrong in this regard.  When using a die statement in this way you must use suppression as I previously stated.

 

Consider the following:

 

w/o suppression

<?php
mysql_connect('fakehost','user','pass') or die('ERROR!: ' .mysql_error());
?>

 

Output:

Warning: mysql_connect() [function.mysql-connect]: Unknown MySQL server host 'fakehost' (11001) in C:\xampp\htdocs\index.php on line 3

 

 

Now with suppression:

<?php
@mysql_connect('fakehost','user','pass') or die('ERROR!: ' . mysql_error());
?>

 

Output:

ERROR!: Unknown MySQL server host 'fakehost' (11001)

 

 

Also, using @ does not "severely" increase execution time, I don't know where you got that idea.

 

 

However I do agree that errors should be handled differently, but I wouldn't get into that on subject on this board (More people should use the exception class).

[DarkWater]

Avoid using suppression. Handle your errors or let PHP display 'em.

 

@ symbols in code to suppress errors severely increase execution time.

That's funny, it seems to speed it up a lot for me.  I tested your statement really quick with this:

<?php

$start = microtime(true);

for ($i=0;$i<1000;$i++) {

    fopen('foo.txt'); //nonexistant

}

echo microtime(true) - $start;

?>

 

And the same thing with @ infront of fopen(), and got:

Without @: 0.429750919342

With @: 0.00551605224609

 

[maxudaskin]

That is pretty damn neat.

[DarkWater]

If I had to guess, I'd say it would because of the resources needed to generate a thousand Warnings and output them that caused the delay.  But still.