Richard Lynch wrote:
On Fri, November 3, 2006 1:12 pm, Jon Anderson wrote:
Or you can .htaccess "Deny From All" them out... That's my preferred
solution. It keeps the include tree near the code that accompanies it
without risking anything even if they're called *.php.
Until you upgrade Apache and forget to enable .htaccess.
Or somebody turns .htaccess off for performance.
Or Junior Programmer wipes out your .htaccess file.
Or you tar up the site to move it to Production, but your tar command
doesn't do .htaccess unless you work at it.
Or Junior Programmer over-rides your .htaccess in a lower-level .htaccess
All of the above are simply too easy to happen in the real world, imho.
You have to work a lot harder at it to intentionally expose a
non-web-tree file to the web, even on accident.
These problems are trivial to overcome, and not PHP related. You can
argue it if you want, but there are upsides and downsides to both
solutions...I can easily come up with parallel "problems" with the
non-web-tree solution even though it is obviously a very good solution
to a common problem. I really don't see the point in having two
professionals "butt heads" over something so trivial. I'd much rather
just have both solutions in my arsenal, and use whichever one fits the
situation best.
jon
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
