racer x Posted March 6, 2009 Share Posted March 6, 2009 I am learning about php security and having some trouble understanding the hackers accessing a file directly such as a validation script. I was looking at CodeIgniter validation to see how they do it and noticed they put this line at the top: <?php if ( ! defined('BASEPATH')) exit('No direct script access allowed'); I am thinking BASEPATH refers to a file path from the root to the normal page request? How could I implement such a code in my scripts or is there a better method? Gosh! How do you ever get to the point where you feel secure enough that you can put your code out there in the real world! Thanks!! Quote Link to comment Share on other sites More sharing options...
vicodin Posted March 6, 2009 Share Posted March 6, 2009 The best security tip i can give you is to never let any user inputted information to go unvalidated. With any user submitted information always use strip_tags() or htmlentities() and for inputting in a database always use mysql_real_escape_string(). User inputted information is the biggest security hole in php there is. Quote Link to comment Share on other sites More sharing options...
corbin Posted March 6, 2009 Share Posted March 6, 2009 User inputted information is the biggest security hole in php there is. It's not a security of PHP. It's a common security hole in programs written by oblivious coders. As for that if(!defined()) thing, it's a fairly common thing to check for a defined var on an included page to make sure the page was reached via another page. Example: page1.php <?php define('SOME_DEF', true); include 'page2.php'; page2.php <?php if(!defined('SOME_DEF')) { //not accessed through page1.php exit; } Quote Link to comment Share on other sites More sharing options...
racer x Posted March 8, 2009 Author Share Posted March 8, 2009 Thanks you guys for your input. I am working hard at learning php and there's rarely a day that goes by where I don't read at least a couple articles on security. To me, everything I learn about php is worthless if I don't secure my scripts properly! Would that defined rule not allow a person to reach a page through a bookmark like pasting: www.site/vendors?page=7 Thanks again for the input! Quote Link to comment Share on other sites More sharing options...
corbin Posted March 8, 2009 Share Posted March 8, 2009 Well that would depend. If /vendors defined the constant, then the include could be included. If not, the include could not be included, directly accessed or otherwise. Quote Link to comment Share on other sites More sharing options...
redarrow Posted March 8, 2009 Share Posted March 8, 2009 if you want to do any proper validation then you need to learn, preg_match() Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.