Basically this particular case boils down to: "files that are included and should not a be called directly" should not be allowed to be called directly.
You can do this at the application level whereby each included file checks whether it was called directly and refuse to run when that is so.
Or you can do this on a system level and tell your webserver not to allow access to particular files or directories.
Yes, you could do either of the above.
I don't have an issue with solutions that PHP (or Apache) provide for avoiding this problem. I DO have an issue with the fact that this problem is caused by a single "feature" is probably not used by many and should be able to be turned off, much like register globals.
Forget possible solutions and work arounds for one moment; when I download and install a popular application, I don't go through every bit of source code to check if these workarounds have been applied. I would much rather set a allow_url_include flag to "off", and not have to worry about that. There are plenty of things you need to worry about when hosting, and this would create one less.
KJ
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
