At 4:01 PM +0200 5/27/06, Jochem Maas wrote:
tedd wrote:
> Name them .inc.php so that they cannot be opened by a webbrowser, thus
> giving more information to a potential attacker.
As always, there's another side to that augment. If you give them
the .php suffix, then they can be ran via a browser "as-is" , which
may not be something you want. Need to consider if running your
includes will do any harm.
there are 2 strategies I use to combat this potential problem:
1. include files don't contain any code that runs on it's own, which
comes down
to constant, variable, function or classes definitions only.
2. any include file that does contain code that runs on inclusion
contains something
like the following as the first line of code:
if (!defined('MY_APP_IS_SETUP')) die('try
http://'.$SERVER['SERVER_NAME'].'/');
tedd
Jochem:
Good strategies. I usually use number 1, but didn't consider the other.
Thanks.
tedd
--
------------------------------------------------------------------------------------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
