| Author |
Message |
hicuxunicorniobestbuildpc
The Mouse Is Extension Of Arm
Joined: Aug 13, 2009
Posts: 1122
|
 Posted:
Sat Jan 09, 2010 12:03 pm |
|
Hello to everyone. I wonder if it is posible to call this line from one place to get rid of the same piece of code all the time on modules and admin modules.
Modules
Code:if (!defined('MODULE_FILE')) {
die ("You can't access this file directly...");
}
|
Admin Modules
Code:if (!defined('ADMIN_FILE')) {
die ("Access Denied");
}
|
I want to remove all those lines and call them from one place. I dont understand why nuke repeats this many times. Any suggestion?  |
| |
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Sat Jan 09, 2010 12:48 pm |
|
|
|
|
hicuxunicorniobestbuildpc
|
| Posted:
Sat Jan 09, 2010 2:20 pm |
|
In admin.php where config.php is you wrote this
Code:if (!isset($admin_file)) $admin_file = 'admin'; // montego - why do this check in every module when it can be done here!
|
Can we do the same with the rest of the files I mentioned above? |
| |
|
|
|
|
spasticdonkey
RavenNuke(tm) Development Team
Joined: Dec 02, 2006
Posts: 1693
Location: Texas, USA
|
| Posted:
Sat Jan 09, 2010 5:40 pm |
|
that piece of code is doing something different, having to do with the $admin_file as defined in config.php. It's checking to make sure it has been set, and if not sets it as admin.
Your first examples are to keep people from accessing your scripts directly, which can reveal sensitive info
something like:
yoursite.com/modules/Your_Module/somescript.php
instead of
yoursite.com/modules.php?name=Your_Module&file=somescript
You can google Full Path Disclosure if you want more info on why you shouldn't remove that code |
| |
|
|
|
|
Palbin
Site Admin
Joined: Mar 30, 2006
Posts: 2583
Location: Pittsburgh, Pennsylvania
|
| Posted:
Sun Jan 10, 2010 12:54 pm |
|
| unicornio wrote: | In admin.php where config.php is you wrote this
Code:if (!isset($admin_file)) $admin_file = 'admin'; // montego - why do this check in every module when it can be done here!
|
Can we do the same with the rest of the files I mentioned above? |
That bit of code in reality is not needed, but it is good to have a catch all encase it is not set. It should probably be (!empty($admin_file)) $admin_file = 'admin'; or maybe both. $admin_file should never be not set unless you are not including config.php, but then nothing would work anyway. On the other hand i could see it being empty. |
_________________
"Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." — Brian W. Kernighan. |
|
|
|
|
hicuxunicorniobestbuildpc
|
| Posted:
Sun Jan 10, 2010 1:40 pm |
|
Palbin, thanks for your answer. Now I understand this line
Code:if (!isset($admin_file)) $admin_file = 'admin'; // montego - why do this check in every module when it can be done here!
|
If for some reason the admin module doesnt have this line then it will read it and protected. Really good. |
| |
|
|
|
|
montego
|
| Posted:
Mon Jan 11, 2010 6:28 pm |
|
Yup, and you will also see that the ADMIN_FILE constant is defined in admin.php. Each core admin script and module admin script should then check to make sure that constant is defined before it allows that script to be used. Keeps the script from being requested directly from the browser's URL for instance, one MUST come through admin.php.
Now, for most of my modules, I will do the ADMIN_FILE and MODULE_FILE checks in their respective index.php script (i.e., module and module/admin) and then define my own module-specific constant because I want to make sure all requests go through one of those two index.php scripts.
For example, for the HTML Newsletter module, see that I have defined the constant MSNL_LOADED and then I check for that constant within each of my included files rather than ADMIN_FILE/MODULE_FILE.
Why? Well, glad you asked... 
Built into the modules.php script features is the ability to cause a given module to load a file different from index.php. For example, take a look at the News module. There is a script in there called article.php. I could bypass the index.php within the modules/News directory, simply by using the following URL in the browser:
[ Only registered users can see links on this board! Get registered or login! ]
The system will bypass loading the modules/News/index.php script and include modules/News/article.php instead. For this module, this is perfectly legitimate given how it is coded. And, you might find this useful even within your own modules. However, myself, I personally prefer to run everything through my module-level index.php scripts... what I consider my "director".
Just different approaches and use models.
I hope that you find this mini-tutorial helpful.
Regards,
montego |
| |
|
|
|
|
hicuxunicorniobestbuildpc
|
| Posted:
Wed Jan 13, 2010 12:14 am |
|
Thanks Montego, very nice explanation. I realized how deep u were doing with the core to make it more secure.  |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
