Reply to Re: [PHP] protect your CSS files, and possibly other extenstions as well...

Your name:

Reply:


Posted by Richard Lynch on 05/11/05 09:06

You could do all this...

Or you could just move the files outside your web tree and change your
include path. [shrug]

On Tue, May 10, 2005 9:03 pm, Kit DeKat said:
> $const = get_defined_constants();
> if( !isset($const["SOME_CONSTANT"]) ||
> ($const["SOME_CONSTANT"] != 'secret_string') )

http://php.net/defined
would be more clear...

> You will take a performance hit for adding the parser to more pages, but

You'd have to benchmark on your own system to be certain, but others have
reported in the distant past that it's a 5-10% performance hit to pass all
..htm files through PHP.

Presumably that would apply for .css and .js as well.

I use .htm and pass through PHP, because I find it frees me up to build a
better site with more cool PHP snippets/features without having to
maintain old URLs in a change from .htm to .php YMMV.

> if( !isset( $_SERVER["HTTP_REFERER"]) ||
> !strpos($_SERVER["HTTP_REFERER"],$_SERVER["SERVER_NAME"]) )

I don't think you can count on HTTP_REFERER to be set by browsers.

It's not required by the HTTP spec, as I understand it.

Plus, it seems to me like you are asking for trouble between
www.example.com and example.com if they surf to www. but your
developer/designer only uses 'example.com'

I also would wonder if this will scale up to server farms? Maybe the
REFERER/SERVER_NAME stuff is all hunky-dory consistent there...

If an end user wants to read your CSS or JS bad enough, they can get it.

Nor is this really a problem.

You definitely do *NOT* want them able to surf to non-entry (ie,
'include'd) files!

Your developers (you) almost certainly spent zero time wondering "what if"
the user did that, and them executing your .php/.inc/.inc.php file out of
context could wreak havoc.

There are many "solutions" for this -- But to me, moving the files out of
the web tree and setting include_path makes the most sense as the safest.

There's *NO* *WAY* you're gonna screw up your httpd.conf or .htaccess
files and make the files not in the web tree suddenly accessible.

It's not like setting include_path is rocket science once you figure out
that this is EXACTLY what that is for.

Just my opinion.

--
Like Music?
http://l-i-e.com/artists.htm

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация