Kohana: Is it necessary to check if SYSPATH is defined?

Asked 13/2, 2010 at 17:32 Answered 13/2, 2010 at 17:54

I'm a CodeIgniter user and I'm taking a look at Kohana. First thing I noticed is that in the documentation every snippet starts with:

<?php defined('SYSPATH') or die('No direct script access.');

assuming I'll be using .htaccess for address rewrite, is this really necessary? Is it an alternative to .htaccess for the purpouse of avoiding direct access? Is it just a good practice for "defense in depth"?

Comedienne answered 13/2, 2010 at 17:32 Comment(1)

CodeIgniter does it too: if ( ! defined('BASEPATH')) exit('No direct script access allowed'); – Abridge 1/3, 2010 at 13:16

If you are using a .htaccess file to protect your system files, this is not required. However, since kohana has to support non .htaccess use, we place that there in the core system files for some basic security.

Layby answered 13/2, 2010 at 17:54 Comment(1)

+1 Nice to have the Kohana Framework Developer himself address this. – Moorhead 13/2, 2010 at 18:5

It's used to make sure you can only access the scripts through index.php (where SYSPATH is defined).

It's another layer of security if your script files are in a web accessible location. This check will stop people from executing classes like http://example.com/application/classes/controllers/welcome.php

In reality the files should be outside of the webroot with the index.php referencing the right locations, but that's not possible all the time, so they have that check.

I guess you could get away with leaving it out if you have .htaccess protecting those directories, but it doesn't cost anything to have so you might as well just keep it.

Looksee answered 13/2, 2010 at 17:51 Comment(2)

I expanded on the answer for you. – Looksee 13/2, 2010 at 17:57

This is a good answer too, keeping your system and module files outside of the webroot is the best security for them. – Layby 14/2, 2010 at 0:41

Recommended topics

Hot tags