Page 357 - Open Soource Technologies 304.indd
P. 357
Unit 14: Security
include ‘/inc/presentation/form.inc’; Notes
}
break;
default:
include ‘/inc/presentation/index.inc’;
break;
}
?>
If this is the only public PHP script, then it should be clear that the design of this application
ensures that any global security measures taken at the top cannot be bypassed. For example,
instead of glancing through a lot of code, it is easy to see that end.inc is only displayed to a user
when $form_valid is true, and because it is initialized as false just before process.inc is included,
it is clear that the logic within process.inc must set it to true, otherwise the form is displayed
again (presumably with appropriate error messages).
If you use a directory index file such as index.php (instead of dispatch.php),
you can use URLs such as http://example.org/?task=print_form.
You can also use the Apache Force Type directive or mod_rewrite to accommodate URLs such
as http://example.org/app/print-form.
The Include Method
Another approach is to have a single module that is responsible for all security measures. This
module is included at the top (or very near the top) of all PHP scripts that are public (available
via URL). Consider the following security.inc script:
<?php
switch ($_POST[‘form’])
{
case ‘login’:
$allowed = array();
$allowed[] = ‘form’;
$allowed[] = ‘username’;
$allowed[] = ‘password’;
$sent = array_keys($_POST);
if ($allowed == $sent)
{
LOVELY PROFESSIONAL UNIVERSITY 351
