Code File Security in PHP
While I was trying to implement MVC in PHP, It came to me how I would be able to secure my code (i.e. prevent HTTP GET access to some parts). My friend who is a PHP programmer forgot that in some webserver, the .inc extension is not configured as a MIME type for PHP. Good thing I told him about that. Other than this, I related to my experience in J2EE Web Containers where everything in the WEB-INF directory is restricted from external access.
In Apache Webserver, I know that it's possible to restrict some parts of your app's directory. I'm not entirely sure if that would include direct access to files like
www.myapp.com/forbiddendirectory/ <---Might be possible to protect directory listing
www.myapp.com/forbiddendirectory/myunsecurescript.php <--- I don't know if possible to secure through Server configuration
I didn't want to take any chances so I confided with my friend if he knew such solution. He showed me JOOMLA's security feature where every code(?) has this line written(looks something like this):
<?php defined('SECURE_FILES') or die("Access denied"); ?>
And in the main page(index), something like this is defined
<?php define('SECURE_FILE', 1); ?>
it's a good thing for me because I only have index.php as the main point of entry to all requests (ala Front Controller). Thus, all access to my PHP classes are restricted w/out going through index.php first.