On Thu, 2010-11-11 at 14:21 -0800, Daevid Vincent wrote: > > > -----Original Message----- > > From: Ashley Sheridan [mailto:ash@xxxxxxxxxxxxxxxxxxxx] > > Sent: Thursday, November 11, 2010 11:46 AM > > To: Jo?o C?ndido de Souza Neto > > Cc: php-general@xxxxxxxxxxxxx > > Subject: Re: Re: use of ini vs include file for configuration > > > > On Thu, 2010-11-11 at 17:16 -0200, Jo?o C?ndido de Souza Neto wrote: > > > > > Agreed. > > > > > > -- > > > Joo Cndido de Souza Neto > > > > > > "Tamara Temple" <tamouse.lists@xxxxxxxxx> escreveu na mensagem > > > news:977F087C-BB11-4444-B851-21616AE9E8D3@xxxxxxxxxxxx > > > > I'm curious what the lists' opinions are regarding the > > use of an .ini > > > > file versus an include configuration file in PHP code are? > > > > > > > > I can see uses for either (or both). > > > > > > > > To me, it seems that an .ini file would be ideal in the > > case where you > > > > want to allow a simpler interface for people installing > > your app to > > > > configure things that need configuring, and an included PHP code > > > > configuration file for things you don't necessarily want > > the average > > > > installer to change. > > > > > > > > What do you think? > > > > > > > > Tamara > > > > > > > > > > > > > > > > > > > There are potential security concerns involved too. An .ini > > file will be > > output as plain text by default by the web server if > > requested by a user > > agent unless it is protected somehow (by a .htaccess file for example) > > or it is outside of document root for the server. A PHP file on the > > other hand will be parsed, so won't output it's variables. > > > > It's all too easy to forget to protect an ini file from this sort of > > thing, whereas if you've written a website in PHP, it becomes fairly > > evident if your web server isn't configured for PHP without testing > > specifically for it! > > Why would you put your configuration file in a ../htdocs folder? That's > just poor design. > > Just as your classes and include files are OUTSIDE your document root, so > must your config file be. > > Plus it's trivial to secure a .ini with a .htaccess or other apache method. > > Tell that to the developers of all the big names out there, phpMyAdmin, phpBB, CodeIgniter, et al. All of them, for ease of use, put all the config files in the htdocs directory by default, presumably so that they don't lock out those people who can only get hosting that does not allow much more than basic configuration. It might be poor design, but it's just the way things are, and if you're working with such hosting, it's worth bearing in mind what your options are. I did mention specifically about putting the config files outside of document root, but that's not always possible in every case. Thanks, Ash http://www.ashleysheridan.co.uk