On Thu, 02 Jun 2005 00:44:12 -0400, in php.general shiflett@xxxxxxx (Chris Shiflett) wrote: >3. The debate between storing includes outside of document root versus >using a .php file extension, instructing Apache to process .inc files as >PHP, instructing PHP to deny requests for .inc files, etc. I agree regarding code on your own server/project. I do believe that the situation is another when you are manager of some project where your php code is being distributed to several different systems beyond your control (think phpmyadmin, phpnuke, etc. - maybe not the best examples regarding security record, though :-) In that case, one could create some requirements regarding the installation of the php application that some customers at web hosting companies might not be able to follow (e.g. create a .htaccess denying .inc-files, create folders outsite of webscope), or one could make a trade-off between ease of installation and highed security. One way of achieving this could be the sole use of .php-extensions (and code constructed in a way that direct access would cause no harm). I believe that there is reason to differ in these two cases for practical reasons. In the latter case a lot of assumptions could cause damage. Poorly implemented high security could be worse than moderate, application based security. -- - Peter Brodersen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php