On Mon, 2009-03-09 at 15:23 -0500, Larry Garfield wrote: > On Monday 09 March 2009 3:07:17 pm Nathan Rixham wrote: > > Ashley Sheridan wrote: > > > Just thought I'd point out that it's recommended against giving non-php > > > extensions to PHP code pages. Basically, making all of your include > > > files .inc without the server correctly configured to recognise all .inc > > > files as PHP files, you are opening yourself up to possible hacks where > > > people put the URL of your include directly in their browser and view > > > all your code. Best thing is usually to name files like this: > > > filename.inc.php or some-such, and not filename.inc. > > > > v well said - one thing you never want is your source showing! > > Unless you're working in open source and then the source is showing anyway > from the original download site. And if simply knowing your source code is a > security hole, then you have bad software. > > Your config file with passwords and such, sure, keep that locked down tight. > But don't rely on security through obscurity. > > -- > Larry Garfield > larry@xxxxxxxxxxxxxxxx > I was talking about includes that have things such as database connection information and other sensitive things. By making it a PHP file, you prevent the code from being seen, ergo you hide your password, etc. phpMyAdmin does it this way, using a config.inc.php file for holding the connection information to each database. Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
