[Pmwiki-users] Safer .php-files

Thomas -Balu- Walter list+pmwiki-users
Thu Feb 26 09:26:20 CST 2004

On Thu, Feb 26, 2004 at 12:41:55PM +0100, Christian Ridderstr?m wrote:
> I'd like some opinions on putting this first in all .php-files:
> 	if(!isset($Version)) {
> 	  header('Content-Type: text/plain');
> 	  print implode('',file($_SERVER['SCRIPT_FILENAME']));
> 	  exit;
> 	}
> The idea is that the variable '$Version' which is set by pmwiki.php must 
> exist, otherwise the current .php file is simply shown as text.
> Is there a risk that $_SERVER['SCRIPT_FILENAME'] won't be portable?

Yes :-( - I've run into that problem once. Not sure what environment and
version it was so. Since you are in the file you might be able to use
something like __FILE__ (which was broken in some versions too thoug :()

> As for the variable, it's actually defined in scripts/version.php and I 
> would prefer using variable defined directly in pmwiki.php, and that 
> it has a more verbose name. E.g. something like:
> 	$PmWiki	= true;	
> 	$PmWikiDefined = true;
> 	$PmWikiRunning = true;
> 	$PmWikiVersion = $Version;
> Patrick, what do you think of adding one of the variables above to 
> pmwiki.php?

I strongly vote against using variables. If you have a box that has
register_globals on they can be set using different ways. A better idea
is to use defines:

define('pmWiki', true); // in files that are allowed to be called externally

if (!defined('pmWiki')) {  // all other files
    print('Sorry, you are not allowed to view this file directly!');


More information about the pmwiki-users mailing list