Why do most of the Joomla! PHP files start with defined(' JEXEC')?
From Joomla! Documentation
Revision as of 13:52, 8 September 2012 by NickSavov
Almost all PHP files within Joomla! begin with the following statement:
defined('_JEXEC') or die('Restricted access');
This statement checks to see if the file is being called from within a Joomla! session and it protects your site by making it more difficult for a cracker/hacker to damage your site.
It helps in two majors ways: 1) It prevents errors from running a PHP file that is expecting to be run inside the Jooma bootstrap and it prevents path disclosure vulnerabilities arising from the PHP fatal errors that are generated. 2) It prevents accidental injection of variables through a register globals attack that trick the PHP file into thinking it is inside the application when it really isn't.
Setting the error reporting down would have a similar effect, however there are configurations where changing PHP's INI settings aren't permitted. The JEXEC check works regardless of whether the configuration can be changed and has no other side effects (e.g. if you're debugging having every file reduce the error reporting would be annoying because you'd have to either set a debug flag to stop it or after each file is included reset error reporting, not fun!).
Note, this line should NOT be included in your main index.php file, since this is the program that starts the Joomla! session.