Posted by Marcus Bointon on 06/01/05 11:07

On 1 Jun 2005, at 06:22, Richard Lynch wrote:

> You've got files that people can get executed *COMPLETELY* out of
> context,
> that *NOBODY* even though about being executed out of context, much
> less
> *TESTED* in any kind of QA process!
>
> I can surf to http://example.com/admin.inc and who knows what will
> happen
> if that PHP code in there gets executed without all the code you
> expected
> to be executed before that code?

There is one simple habit that can mitigate this issue, and it's one
I see very often: make your .inc.php and .class.php files do nothing.
If you .inc files contain only function and constant definitions, and
your .class files contain only class definitions, then nothing will
happen when you run them - a bunch of functions or a class will get
defined, but if nothing is run, they will just be forgotten. This
route has a major advantage when it comes to deployment - you can
just stick all your files in one place, and it will work without
risk. Another simple approach is to put all your included files in a
directory that contains a .htaccess file to prevent direct access to
them. They can still be included from your PHP scripts.

Marcus
--
Marcus Bointon
Synchromedia Limited: Putting you in the picture
marcus@synchromedia.co.uk | http://www.synchromedia.co.uk

[Back to original message]