CODEWITHSUNDEEP
phpcodeignitersecurity
Charas
Charas

Reputation: 1831

CI should I use defined BASEPATH on model and view?

As I understood correctly, in CI for security reasons we must write this line of code 

defined('BASEPATH') OR exit('No direct script access allowed');

on top of every controller pages so as to prevent the page to be run the controller on its own.

However I am wondering is it necessary to write this code on every view and model pages too ? As I have searched through google and stackoverflow, there is no one explaining clearly on the view and model pages.

Thank you in advance

Upvotes: 0

Views: 272

Answers (3)

Rafique Ahmed
Rafique Ahmed

Reputation: 117

It is always safer to add

 defined('BASEPATH') OR exit('No direct script access allowed');

in your model and view because if your server does not allow .htaccess or it is overridden the script can be accessed.

Upvotes: 0

Narf
Narf

Reputation: 14752

No, you don't necessarily need to do this.

CodeIgniter stock files have this line because it tries to run with almost zero configuration, which often means the user has put everything under the webroot.

But that being said, it doesn't mean your setup should be like that. Quite the opposite - only your index.php file should be accessible via the web, and if you do that, these lines don't matter.

And of course, you could deny access to the framework files via .htaccess rules in Apache or proper location blocks under nginx.

Upvotes: 1

Rejoanul Alam
Rejoanul Alam

Reputation: 5398

Yes this is necessary for security concern. It is for disallowing direct access to your views & models files through browser. If you dont include this any one can access your files via browser and this is a risk.

However you may disallow direct access to your file through .htaccess in application directory by following code

<IfModule authz_core_module>
    Require all denied
</IfModule>
<IfModule !authz_core_module>
    Deny from all
</IfModule>

Upvotes: 0

Related Questions