php - website security using global variable

Question

i was recently browsing some php source code, particularly ones of forum software like phpbb and esotalk

I noticed one thing, most of them used a global variable at the start of their page as some sort of security like so:

if (!defined("IN_ESOTALK")) exit; //For esotalk
if (!defined("IN_PHPBB")) exit; //FOR phpbb

What sort of security is this? I don't understand. Could you explain to me what this prevents and how?

thanks, Vidhu

Answer 1

it works by making sure the php script doesn't run unless the framework has started up. This way the user can't execute a script without going through the proper page.

Here's an example. We have 2 files:

index.php

<?php
     define("_MY_FRAMEWORK", 1);
     echo 'started';
     require('script.php');
?>

and script.php

<?php
    if (!defined("_MY_FRAMEWORK")) exit;
    echo "my script";
?>

If you run script.php directly, nothing will happen because _MY_FRAMEWORK has not been defined. it will exit.

However, if you run index.php, which includes script.php, the script will continue because you did define _MY_FRAMEWORK first. You will get the full output: started followed by my script.

@Gumbo makes a good point: If you haven't seen define before, it defines a constant that cannot be changed. The user contributions to the PHP documentation can be helpful to understand how it works.