search

lesintegristes / lesintegristes-theme

The WordPress Theme that we use for our blog
http://www.lesintegristes.net/
Other
4 stars 1 forks source link

What is the "No direct file load" code line purpose? #48

Closed welovewebdesign closed 11 years ago

welovewebdesign commented 11 years ago

I'd never seen this line of code in a WordPress theme before. Is it a specific lesintegristes-theme's requirement?

if (!empty($_SERVER['SCRIPT_FILENAME']) && realpath($_SERVER['SCRIPT_FILENAME']) === realpath(__FILE__)) { die(); }
bpierre commented 11 years ago

It is for preventing direct access to the files. The web server should prevent direct access to the theme files (.htaccess), but this is an additionnal mesure.

// The PHP file called by the server
// (with WordPress, everything is managed by the index.php file)
echo $_SERVER['SCRIPT_FILENAME'];
// The current file
echo __FILE__;

// If both names are the same, it means the current file has been directly called.

Example: http://www.lesintegristes.net/wp-content/themes/lesintegristes/sidebar.php http://www.presse-citron.net/wordpress_prod/wp-content/themes/steaw-citron/sidebar.php

bpierre commented 11 years ago

We should replace it with:

if (!defined('WP_USE_THEMES')) return;

Since the WP_USE_THEMES constant is defined in the index.php file.