(11-07-2017, 03:30 PM)sneakyimp Wrote: (09-28-2015, 02:30 AM)RogerMore Wrote: Normally every php file can be run which can reveal parts of your site or cause other unwanted output like error messages if that file isn't meant to be run from the web.
The line with BASEPATH prevents naughty people to get output from files that are only to be used by the framework like php files in your model and views folders.
Beware, this doesn't mean it makes your site unhackable!! It just maybe prevents some people from getting easy useful information which can be used for hacking your site.
Does this line really offer any meaningful protection, though?
1) I've yet to see a controller that does anything other than just define a class. Accessing such a file directly would define the class but absolutely nothing else.
2) If the user is able to inject some PHP file of their own to include/require these files, then nothing will stop them from just definining some arbitrary BASEPATH of their own, thereby defeating this line of code.
1) Not all files are controllers or class declarations with no side effects.
2) Unrelated.
Again, it's just a basic sanity check. Nobody should view it as a security measure.