hacking php files?

[niche]

I found a free barcode script that looks very promising thanks to justsomeguy. There's a line in the manual that says: "First of all, you must define a constant variable to prevent "hackers" that go directly into PHP files."What does that line mean?Thanks

[Synook]

It means that in the parent file, you define a constant, and then check for the existence of said symbol in the included script; if it doesn't exist, you can say that the file has been inappropriately accessed, and die.

[niche]

Do you have a simple example please?

[boen_robot]

In the included file (let's call it barcode.php):

<?phpif (defined('BARCODE_DEFINED')) {//barcode script}?>

And in the parent file (the one that must be accessed directly):

<?phpdefine('BARCODE_DEFINED', true);include 'barcode.php';//other code?>

[niche]

So how do I make BARCODE_DEFINED dectect hacking?

[justsomeguy]

I don't know what kind of "hacking" you're trying to detect, but you use the above method to make sure the file only gets executed if it was included from another file.

[niche]

I'm not sure what I'm worried about either. I do know that the documentation for the script I found (thanks to you) said that I needed to guard against hackers when using their class. I didn't think PHP could be easily hacked before today. That's why I'm asking.Synook, said that I need to define a constant that if changed would kill the script, but I'm not sure how to execute that conceptually. For example, if I had a class that calculates prices, how would the constant be included in the calculations in a meaningful way?This manual suggests that a hacker could change the mark-up for example. Before today, I wouldn't of thought that was even a moderately difficult thing to do without IDs and passwords.What do you think? And if using a constant will help protect our scripts, how do you use a constant to catch hackers. I'm still not clear on that conceptually.Thanks

[jeffman]

The only difference between this and boen's code is that it prints a message. Boen's example and this one will not allow the *barcode script* to execute

<?phpif (defined('BARCODE_DEFINED')) {   // *barcode script*} else {   die ("Unauthorized access");}?>

EDIT: I think no one is quite sure what your manual means (you only quoted a little of it). We are assuming it refers to scripts that are only meant to execute when they are included in another script. This technique prevents scripts like that from being executed independently, just by calling their URL. It has nothing to do with classes, calculations, or passwords.It is also pretty extreme to call this particular concept "hacking."

[wirehopper]

Hacking is a broad term. In this case, I think the protection offered is to prevent execution of files out of context.In other words, if a file is meant to be included in another, not executed standalone - the BARCODE_DEFINED code will ensure that the file can't be executed.Many applications use this approach, although usually, the code is set up during installation.

[niche]

Here's the link: http://www.barcodephp.com/1d/userguide.phpHere's the quote in context (I've underlined the sentence in question):Creating BarcodeYou can use the web application to generate barcode, but if you want to generate it in one of your program, you must understand how the code works.First of all, you must define a constant variable to prevent "hackers" that go directly into PHP files.After, you have to include required files to draw your barcode.require('class/BCGFont.php');require('class/BCGColor.php');require('class/BCGDrawing.php');At this point, you have to include the file of your barcode type. For instance, we will generate a Code39 barcode.include('class/BCGcode39.barcode.php');We will now load the font for writing a label under the barcode. If you don't want to have a text on it, ignore this step.The first argument is the path to the ttf font file and the second is the size in point (pt) of the font.$font = new BCGFont('./class/font/Arial.ttf', 18);Ok now, let's generate some colors...

[justsomeguy]

The source files for the class don't do any sort of checking for defined constants. The only place he uses that in the demo files looks like a file such as html/code39.php, where he has this:

define('IN_CB', true);include('header.php');

Then in the header.php file he has this:

if(!defined('IN_CB')) die('You are not allowed to access to this page.');

So that just stops someone from loading the header file unless it has been included from a file which defines that constant. The class files for the barcode generation don't check for that though. It's unclear from his description whether he thinks they are vulnerable to something.

[niche]

I thought he was talking about some kind of inherent vulnerability in PHP. Apparently not.Anyway, I do understand the concept of using the constant in the header file. I wouldn't of thought of that without everyone's help.So thanks to everyone: Synook, boen_robot, justsomeguy, Deirdre's Dad, and wirehopper.

[iwato]

I think no one is quite sure what your manual means (you only quoted a little of it). We are assuming it refers to scripts that are only meant to execute when they are included in another script. This technique prevents scripts like that from being executed independently, just by calling their URL.

I have been following this dialogue with some interest and have even created my own pair of files to examine how the define() and defined() functions work in tandem with one another. This experimentation has led me to a question about the way in which PHP contained in an included file is handled in the including file.MY QUESTION: Is it correct to say that the PHP code in an included file is treated identically with code that is contained in the including file?In other words, PHP code contained in the included file can be inserted wherever PHP code can be written in the including file with no disturbance in the processing of the code contained in the merged files. 1) If this is true how are the script delimiters <?php . . . ?> of the included file handled? 2) If this is not the case, what are the limitations for using included PHP code?Roddy

[Synook]

MY QUESTION: Is it correct to say that the PHP code in an included file is treated identically with code that is contained in the including file?

Yes.

1) If this is true how are the script delimiters <?php . . . ?> of the included file handled?

Think of it as if the PHP block was ended, then the included script pasted in, then the PHP block started again.

<?php // included.php	echo "yay";?><some html="code">

<?php // includes.php	echo "blah";	include("included.php");	echo "blah!;?>

Could be though of like:

<?php // includes.php	echo "blah";?><?php // included.php	echo "yay";?><some html="code"><?php	echo "blah!;?>