On Wed, June 1, 2005 1:29 am, Denis Gerasimov said: > Second, which way are you differ PHP .inc files from HTML .inc files? There is no such thing as an HTML .inc file. :-) All your HTML .inc files, by definition, if they are being require'd or include'd into PHP *are* PHP .inc files. It is merely a coincidence of your design that they happen to have no <?php ?> tags in them. You *MAY* want to separate those into another other non-web tree directory. > Third, I always write context-independent include files. Example?... Can you guarantee that ever .inc and .inc.php and .php file in every third-party application is context-independent? Suppose your client insists tomorrow that you install [insert least favority forum software here]? You *NEED* to have the policy/procedure in place to get those .inc and .inc.php and non-entry .php files *OUT* of the web-tree, or you will get bit, sooner or later. It's simply too easy to transfer a site and lose the .htaccess files, or for a new/changed httpd.conf to not have the .inc rules or mess up PHP completely or... Why risk the possibility of your code being exposed or executed out of context when it's so *EASY* to move the include files and set include_path? I just don't understand the resistance to such a simple straight-forward elegant security measure. For 5 minutes of time, you can avoid dozens of potential pitfalls. [shrug] -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php