Jump to content

Hacker Prevention

maxudaskin

By maxudaskin
in PHP Coding Help

 Share

Recommended Posts

maxudaskin Advanced Member

maxudaskin

Posted
Posted

In Joomla, they start the front page codes with 

<?php
defined( '_JEXEC' ) or die( 'Restricted access' );
?>

 

How does this work if that is the first thing done?

 

Full code:

<!--Name: 			TJ Sublime-->
<!--URL:			http://sublime.themejoomla.com-->
<!--Copyright:		Theme Joomla-->
<!--URL:			http://www.themejoomla.com-->

<?php defined( '_JEXEC' ) or die( 'Restricted access' ); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php echo $this->language; ?>" lang="<?php echo $this->language; ?>" dir="<?php echo $this->direction; ?>" >
  <head>
    <jdoc:include type="head" />
<link href="<?php echo JURI::base(); ?>templates/<?php echo $this->template; ?>/images/favicon.ico" rel="shortcut icon" />
    <?php include("sublime.php");?> <!--calls all sublime specific code, CSS files and conditions-->
  </head>
<body>
<a id="corner" target="_blank" href="http://www.themejoomla.com">Support Joomla!</a>
<div class="site_wrap">
<div id="site_faux">
	<div id="left_area">
		<div id="header"></div>
		<div id="main_menu"><jdoc:include type="modules" name="user3" style="sublime" /></div>
		<div id="pathway">Navigation: <jdoc:include type="modules" name="breadcrumb" /></div>
		<div id="inset"><jdoc:include type="modules" name="inset" style="sublime" /></div>
		<div id="users">
			<div id="user_one"><jdoc:include type="modules" name="user1" style="sublime" /></div>
			<div id="user_two"><jdoc:include type="modules" name="user2" style="sublime" /></div>
		</div>
		<div id="content"><jdoc:include type="component" /></div>
	</div>
	<div id="right_area">
		<div id="right_wisp"></div>
		<div id="logo"></div>
		<div id="search"><jdoc:include type="modules" name="user4" style="sublime" /></div>
		<div id="side_modules"><jdoc:include type="modules" name="left" style="sublime" /></div>
	</div>
</div>
<div id="footer_faux">
	<div id="banner"><jdoc:include type="modules" name="user9" style="sublime" /></div>
	<div id="footer"><jdoc:include type="modules" name="footer" style="sublime" /></div>
</div>
    <div id="footer_spacer"></div>
</div>
<!--This is a link back to Theme Joomla, and is hidden, and will not effect your site-->
<div id="link_back"><h1><a href="http://www.themejoomla.com" target="_blank">Theme Joomla</a></h1></div>
</body>
</html>

Link to comment
Share on other sites
Naez Member

Naez

Posted
Posted

Basically, its preventing you from accessing include pages directly.

 

for instance:

 

main.php

<?php
@define('IN_MAIN',true);
include('test.php');
// code goes here
?>

 

test.php

<?php
@defined('IN_MAIN') or die('Not in main');  
?>

 

If test.php is accessed directly, defined('IN_MAIN') would return false so the parser would skip to the die statement... much like when you see:

mysql_connect('','','') or die(mysql_error());

Link to comment
Share on other sites
Naez Member

Naez

Posted
Posted

Unfortunately you are wrong in this regard.  When using a die statement in this way you must use suppression as I previously stated.

 

Consider the following:

 

w/o suppression

<?php
mysql_connect('fakehost','user','pass') or die('ERROR!: ' .mysql_error());
?>

 

Output:

Warning: mysql_connect() [function.mysql-connect]: Unknown MySQL server host 'fakehost' (11001) in C:\xampp\htdocs\index.php on line 3

 

 

Now with suppression:

<?php
@mysql_connect('fakehost','user','pass') or die('ERROR!: ' . mysql_error());
?>

 

Output:

ERROR!: Unknown MySQL server host 'fakehost' (11001)

 

 

Also, using @ does not "severely" increase execution time, I don't know where you got that idea.

 

 

However I do agree that errors should be handled differently, but I wouldn't get into that on subject on this board (More people should use the exception class).

Link to comment
Share on other sites
DarkWater Member

DarkWater

Posted
Posted

Avoid using suppression. Handle your errors or let PHP display 'em.

 

@ symbols in code to suppress errors severely increase execution time.

That's funny, it seems to speed it up a lot for me.  I tested your statement really quick with this:

<?php

$start = microtime(true);

for ($i=0;$i<1000;$i++) {

    fopen('foo.txt'); //nonexistant

}

echo microtime(true) - $start;

?>

 

And the same thing with @ infront of fopen(), and got:

Without @: 0.429750919342

With @: 0.00551605224609

 

;)

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.