moving outside the webtree is the best option, where practical. Calling the files whatever.inc.php allows you to disallow access to .inc.php files via the apache config file. On 6/1/05, Richard Lynch <ceo@xxxxxxxxx> wrote: > On Tue, May 31, 2005 10:55 am, Leif Gregory said: > > Hello Martin, > > > > Sunday, May 29, 2005, 9:24:00 PM, you wrote: > > M> I saw files like "file.inc.php" and "file.inc" > > M> What is the *.inc suffix good for ? > > > > It's good for a lot of trouble if the webserver hasn't been set up to > > parse .inc files as PHP. If it hasn't then someone can request that > > file in a broswer and see the code. > > Gak! > > It's good for even *MORE* trouble if the webserver is set up to parse .inc > as PHP! > > You've got files that people can get executed *COMPLETELY* out of context, > that *NOBODY* even though about being executed out of context, much less > *TESTED* in any kind of QA process! > > I can surf to http://example.com/admin.inc and who knows what will happen > if that PHP code in there gets executed without all the code you expected > to be executed before that code? > > > I'd just stay away from using .inc for an include and do either of the > > below: > > > > config.inc.php > > > > or just > > > > config.php > > Neither of which solve the base problem: > > The *REAL* solution is to put your .inc files *OUTSIDE* the web-tree where > they simply CANNOT be executed out of context (by surfing to them) and > cannot be downloaded by Bad Guys looking for holes. > > You can also add code to the beginning of every .inc file which attempts > to examine the state of the HTTP request to determine that it is not being > called out of context, but that's a pain to have to put in every file, or > to have to remember to include the include file that does that, and to > hope that every developer (or even just you) remembers to do that. It's > really much easier to just fix your include_path, move the files where > they cannot get accessed, and be done with it. > > Just my opinion. > > -- > Like Music? > http://l-i-e.com/artists.htm > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
