KJ wrote: > Ah OK. So the only only includes should be out of the web tree, or on a > remote site? > > Nice one. I hope you're not being sarcastic, because this statement is actually 100% true. Your web-sites should have clearly-defined 'entry points' which are pages that you actually expect people to surf to. Everything else, which is to say your include files, do *NOT* belong in your web tree. You configure your server/PHP to find the include files from outside the web tree. Thoese files then cannot be surfed to. If you do *NOT* do this, you can pretty much guarantee that Bad Guys will surf to internal/include files directly, and use them to break into your server, inject SQL, cross-site 'include' their own code, etc. By all means, if you want to disable remote include, go ahead and change the PHP source to do so: But you're *NOT* solving your real problem. You will *still* have huge chunks of code in the web tree that Programmers, who probably already don't have their Security hat on enough, typed with absolutely NO THOUGHT for "What if somebody surfs directly to this include file?" They've never even tested it, as part of their web application testing, because they never expected it to happen. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
