• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
First line defined('BASEPATH').... really worth on Apache??

#1
PHP Code:
defined('BASEPATH') OR exit('No direct script access allowed'); 

It's recommended to place that line on all our project files to prevent direct access to files, but on Apache the .htaccess file do the job without that line.

So, it´s really recommended when we work on apache? Usually i want clearer files, so if it's not a bad practice i will not include that line.

Thx and srry for my english.
Reply

#2
If your files are outside your web root, you may not need this line, depending on whether someone can find a way to attempt to execute the files.

It's not worth removing this line from existing files or files which will reside inside the public directories on your website, as the functionality of .htaccess is dependent on server settings and can even change between versions of Apache.

For example, shortly after starting my current job, I found that someone created a "secure" page using .htaccess to define a password file for the page. At some point the server's AllowOverride configuration changed in a fairly subtle manner without notice and the page became publicly visible under certain conditions, while still prompting the user for a password under other conditions.

Similarly, another developer thought they had found some slick method of securing a cache directory on their site, but, long after that developer left, the server configuration changed (again! different site, same server) and the site was no longer functioning correctly. In both instances, the script on the site had the same level of access to the directory as the general public, but in this case it went the other direction and the script no longer had access to the cache files.

One final point about the defined() OR exit() statements: if the script could run stand-alone and won't cause you any problems or expose any information about your site which might be valuable to an attacker, it's probably fine to remove it. Personally, I've occasionally considered removing this line from certain types of files or from specific files, but, in the long run, I've determined that I don't want to waste my time evaluating any given file to determine whether I can safely remove it unless I have some reason to use that file outside of CodeIgniter.
Reply

#3
Thanks so much! i'm just a newbie developer and that answer clears my mind really.

I will put that line on my files after research and understand ur answer. Normally we don't own the servers so we can't control it, goods news are that we can improve the security by coding.

+1 for u!
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.