Mark Kelly wrote:
On Friday 26 May 2006 14:56, Matt Carlson wrote:
One note on include files. Usually it's "best practice" to not name them
.inc
Name them .inc.php so that they cannot be opened by a webbrowser, thus
giving more information to a potential attacker.
Is this still a concern when all include files are stored outside the
webroot (and thus in theory not directly accessible) anyway?
in practice this would no longer be a concern - but using inc.php makes the file
instantly recognizable as a php file by the guy that will be doing you work in 5 years
time ;-) and if ever you move the files somewhere inside the webroot (or someone else
happens to make an apache alias that makes them available) then your still safe :-)
besides .inc.php seems to be/becoming a sort of defacto std (no need for filenaming
jihad people ;-)
Just my $.02
And much appreciated it is too - I'd *far* rather have too much advice than
not enough - especially where security is concerned.
always look both ways when crossing the street. ;-)
Mark
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
