On Monday 09 March 2009 3:07:17 pm Nathan Rixham wrote: > Ashley Sheridan wrote: > > Just thought I'd point out that it's recommended against giving non-php > > extensions to PHP code pages. Basically, making all of your include > > files .inc without the server correctly configured to recognise all .inc > > files as PHP files, you are opening yourself up to possible hacks where > > people put the URL of your include directly in their browser and view > > all your code. Best thing is usually to name files like this: > > filename.inc.php or some-such, and not filename.inc. > > v well said - one thing you never want is your source showing! Unless you're working in open source and then the source is showing anyway from the original download site. And if simply knowing your source code is a security hole, then you have bad software. Your config file with passwords and such, sure, keep that locked down tight. But don't rely on security through obscurity. -- Larry Garfield larry@xxxxxxxxxxxxxxxx -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
