--- Richard Davey <rich@xxxxxxxxxxxxxxxx> wrote: > MK> Yes, .inc files will show up as they are - php source, db > MK> username/password etc. So it's even less secure unless you > forbid serving them: > > That would be the "properly configured web server" section of > my post, assuming this has been done they are definitely not > less secure than placing those details in a .php. Let's not muddy the waters, though. :-) I have no opinion about whether .inc or .inc.php is a better convention for modules stored within document root, because storing modules in document root is a terrible idea. If you do this, whether by choice or due to some factor you cannot control, you're going to have to accept that it is a security risk, regardless of the name. I know you both agree, but I want to make sure this point isn't lost. :-) Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly HTTP Developer's Handbook - Sams Coming February 2005 http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php