Re: Re[2]: include files, ".php" or ".inc" ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



--- Richard Davey <rich@xxxxxxxxxxxxxxxx> wrote:
> MK> Yes, .inc files will show up as they are - php source, db
> MK> username/password etc. So it's even less secure unless you
> forbid serving them:
> 
> That would be the "properly configured web server" section of
> my post, assuming this has been done they are definitely not
> less secure than placing those details in a .php.

Let's not muddy the waters, though. :-)

I have no opinion about whether .inc or .inc.php is a better convention
for modules stored within document root, because storing modules in
document root is a terrible idea. If you do this, whether by choice or due
to some factor you cannot control, you're going to have to accept that it
is a security risk, regardless of the name.

I know you both agree, but I want to make sure this point isn't lost. :-)

Chris

=====
Chris Shiflett - http://shiflett.org/

PHP Security - O'Reilly     HTTP Developer's Handbook - Sams
Coming February 2005        http://httphandbook.org/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux