How to Protect PHP Code

A classic method to protect your PHP code like Fort Knox is to organize your PHP code and make sure hackers are not passing harmful GET and POST parameters to your scripts. If you have variables that are not initialized, they can be open to outside manipulation. A great example is a Boolean value that is initialized to an untrue value. Implementing a variable screening procedure at the commencement of every code execution is the solution to this security problem. Typically this is done using a switch statement. Setting this up in the most efficient way can be done in just a few quick steps.

Protect PHP Code Step One:
You need to put all of your PHP code in a separate folder! Do not leave it sitting in the same folder as the index.php file; this is the most important step to protect your PHP code. All PHP files in the root directory are easy targets for hackers to access. The folder name we will use in this example is inc, for include.

Protect PHP Code Two:
After we have all of our PHP code in the include folder we will need to develop our main index.php file. Every page will be displayed by passing a GET variable to the index.php file. The index.php file will then screen the GET variable for harmful code and display the desired page if the code is found free of hacker contamination.

As you might now see, the index.php file is nothing more than a file with a long switch statement. The GET variable we will be passing to our scripts will be called page. Thus, the page variable will be analyzed by the switch statement. If you have a ton of pages, you'll need to put all the acceptable values for the GET variable into a database and query the database to determine if the value is relevant.

I am assuming you have an understanding of functions and switch statements so here is a code example below:

switch ($_GET['page'])
{

case 'home':

$legit = "NO";

$legit = is_legit();

if ($legit = "YES"){

include 'inc/home.php';

}

break;

This code looks to see what the value of the GET variable page is and if it has a value of home it starts to screen the data. The $legit variable is initialized to no and then the is_legit() function is called. In side the legit function you can screen other variables and do all sorts of data validation procedures. If your data is legit, the if statement kicks in and calls the home.php page. Every page is treated in this same manner, and this ensures the no hostile data is passed from the outside.

Protect PHP Code Step 3:
A final component we can incorporate from my last article on PHP security is the defining of a constant before we call the code. The code follows:

define("MyConstant ", true);
At the beginning of the code included we include the following statement:
if (!defined("MyConstant"))
{
die ("File Not Found");
}

Now we are able to define a constant if the data is legit and include our file. This stops outside intruders from easily hacking our PHP code.


If you have several pages making switch statements for each value simply isn't practical. You'll need to design a database and run a query against the stored acceptable values of your GET and POST data for each page. If the value is acceptable then you can just include the page dynamically. The following if statement, in conjunction with your prior database screening, could suffice for the entire switch statement.

if($query = "true"){
$legit = "NO";
$legit = is_legit();
if ($legit = "YES"){

include 'inc/home.php';
}
}

This way the user never sees any of the files you store in the inc folder and is forced to discover them by some other, much more difficult, means.

COUNTER