PHP—“Defined or Exit” at the beginning of many files?

Question

I have been inspecting some PHP source codes and I more often than not find files starting with

defined(\'__someconstant__\') or exit();

I

Answer 1

Adding to @NullUserException's answer...

Yes there are other ways of preventing a file from being accessed directly (.htaccess being one), but for software that is shared with a wide audience, you can't really rely on those technologies being there. You can rely on a simple condition at the top of the files though.

Answer 2

To avoid those (useless) lines at the top of (nearly) each file, your could:

• Store a public "controller" file (like index.php in a directory called web or public on which your web server's alias or virtual host points to

• Store in other directories like lib, config, apps... all the files that should not be directly accessed through the webserver by simply typing an URL.

This is typically the structure of existing frameworks such as Symfony 1.x

Additionally you can (and certainly will, for URL rewrites) put a .htaccess file, but a server misconfiguration can incidentally disable it, so keeping source files in distinct directories is IMO better.

Answer 3

Isn't there (even non-PHP based) a cleaner way of doing it without introducing this extra code in every file?

Presence of such snippets indicate bad code structuring, namely code automatically executing in global scope. You shouldn't have this or exit(); code in pure function/class includes. It would be redundant there.

Code that does perform potentially dangerous actions shoult not be web-accessible in the first place. The or exit; approach is a workaround. It should always be accompanied by a FilesMatch and Deny from All in a .htaccess file however. Best set the whole include directory inaccessible.