On Thu, 13 Jan 2005 16:25:30 -0600, Adam Hubscher <webmaster@xxxxxxxxxxxxxxxx> wrote:
1 (the preferred way): user accesses http://www.example.org/index.php?function=Join, this loads the class NewUser and begins its implementation. Because of the __autoload, it includes class.join.php, in order to utilize the class.
2 (the wrong way): user accesses http://www.example.org/includes/class.join.php without going through index.php.
I am trying to prevent 2 from even occuring, utilizing a piece of code that would check if index.php had included it, or not. This code would be in the beginning of all the class files, at the top, before any other code was to be executed.
Ideally, you'd put all of the files users aren't supposed to access outside of the document root, so there just isn't a uri that points to the file.
If (as your question makes it sound) the includes do nothing but define a class, and don't actually run any code, then it really doesn't matter if users directly access an include, as nothing will happen.
Ok, thats what I expected to be the case - I was just being cautious. Unfortunately with what the application is providing for (a game server), there is a large userbase of people that would potentially do anything in their power... or learning ability, to inflict harm upon the users and the database of the site/game server which I am running. Security has been my primary lack-of-sleep for the last few days, and this was one of the last things eluding me.
Thank you very much Thomas!
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php