[Pmwiki-users] Safer .php-files
Thomas -Balu- Walter
list+pmwiki-users
Thu Feb 26 09:26:20 CST 2004
On Thu, Feb 26, 2004 at 12:41:55PM +0100, Christian Ridderstr?m wrote:
> I'd like some opinions on putting this first in all .php-files:
>
> if(!isset($Version)) {
> header('Content-Type: text/plain');
> print implode('',file($_SERVER['SCRIPT_FILENAME']));
> exit;
> }
>
> The idea is that the variable '$Version' which is set by pmwiki.php must
> exist, otherwise the current .php file is simply shown as text.
>
> Is there a risk that $_SERVER['SCRIPT_FILENAME'] won't be portable?
Yes :-( - I've run into that problem once. Not sure what environment and
version it was so. Since you are in the file you might be able to use
something like __FILE__ (which was broken in some versions too thoug :()
> As for the variable, it's actually defined in scripts/version.php and I
> would prefer using variable defined directly in pmwiki.php, and that
> it has a more verbose name. E.g. something like:
>
> $PmWiki = true;
> $PmWikiDefined = true;
> $PmWikiRunning = true;
> $PmWikiVersion = $Version;
>
> Patrick, what do you think of adding one of the variables above to
> pmwiki.php?
I strongly vote against using variables. If you have a box that has
register_globals on they can be set using different ways. A better idea
is to use defines:
define('pmWiki', true); // in files that are allowed to be called externally
if (!defined('pmWiki')) { // all other files
print('Sorry, you are not allowed to view this file directly!');
exit;
}
Balu
More information about the pmwiki-users
mailing list