1. Manh
  2. Joomla
  3. Monday, 30 September 2019
  4.  Subscribe via email
Almost all PHP files in Joomla! begin with the following statement:

defined('_JEXEC') or die;

This statement checks to see if the file is being called from within a Joomla! session and it protects your site by making it more difficult for a cracker/hacker to damage your site.

It helps in two majors ways:

1) It prevents errors from running a PHP file that is expecting to be run inside the Jooma bootstrap and it prevents path disclosure vulnerabilities arising from the PHP fatal errors that are generated.

2) It prevents accidental injection of variables through a register globals attack that trick the PHP file into thinking it is inside the application when it really isn't.

Setting the error reporting down would have a similar effect, however there are configurations where changing PHP's INI settings aren't permitted. The JEXEC check works regardless of whether the configuration can be changed and has no other side effects (e.g. if you're debugging having every file reduce the error reporting would be annoying because you'd have to either set a debug flag to stop it or after each file is included reset error reporting, not fun!).

Note, this line should NOT be included in your main index.php file, since this is the program that starts the Joomla! session.
There are no comments made yet.

There are no replies made for this post yet.
Be one of the first to reply to this post!