Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter Best Practices First line defined('BASEPATH').... really worth on Apache??
First line defined('BASEPATH').... really worth on Apache??
  • Offline mcalahorro
    Newbie
  • *
  • Posts: 2
    Threads: 1
    Joined: Oct 2015
    Reputation: 0
#1
10-21-2015, 04:53 AM

PHP Code:
defined('BASEPATH') OR exit('No direct script access allowed'); 

It's recommended to place that line on all our project files to prevent direct access to files, but on Apache the .htaccess file do the job without that line.

So, it´s really recommended when we work on apache? Usually i want clearer files, so if it's not a bad practice i will not include that line.

Thx and srry for my english.
Reply
  • Offline mwhitney
    Posting Freak
  • *****
  • Posts: 1,101
    Threads: 4
    Joined: Nov 2014
    Reputation: 95
#2
10-21-2015, 10:44 AM

If your files are outside your web root, you may not need this line, depending on whether someone can find a way to attempt to execute the files.

It's not worth removing this line from existing files or files which will reside inside the public directories on your website, as the functionality of .htaccess is dependent on server settings and can even change between versions of Apache.

For example, shortly after starting my current job, I found that someone created a "secure" page using .htaccess to define a password file for the page. At some point the server's AllowOverride configuration changed in a fairly subtle manner without notice and the page became publicly visible under certain conditions, while still prompting the user for a password under other conditions.

Similarly, another developer thought they had found some slick method of securing a cache directory on their site, but, long after that developer left, the server configuration changed (again! different site, same server) and the site was no longer functioning correctly. In both instances, the script on the site had the same level of access to the directory as the general public, but in this case it went the other direction and the script no longer had access to the cache files.

One final point about the defined() OR exit() statements: if the script could run stand-alone and won't cause you any problems or expose any information about your site which might be valuable to an attacker, it's probably fine to remove it. Personally, I've occasionally considered removing this line from certain types of files or from specific files, but, in the long run, I've determined that I don't want to waste my time evaluating any given file to determine whether I can safely remove it unless I have some reason to use that file outside of CodeIgniter.
Bonfire
Practical CodeIgniter 3
CodeIgniter Testing Guide
Reply
  • Offline mcalahorro
    Newbie
  • *
  • Posts: 2
    Threads: 1
    Joined: Oct 2015
    Reputation: 0
#3
10-22-2015, 07:10 AM

Thanks so much! i'm just a newbie developer and that answer clears my mind really.

I will put that line on my files after research and understand ur answer. Normally we don't own the servers so we can't control it, goods news are that we can improve the security by coding.

+1 for u!
Reply




Theme © iAndrew 2016 - Forum software by © MyBB