Since we're talking about include()ing functions specifically, I don't think
there's going to be much trouble to be had. Your file may be something like
this:
<?php
function somefuncname() {
// some code
}
?>
If that's executed by PHP by being called directly, it won't do anything.
It's worth noting your point for completeness' sake so someone doesn't put
faulty code into their .inc.php file that's going to cause damage if it doesn't
receive proper parameters from code that usually comes before it's included.
But the whole purpose of moving code outside the main script combined with
using a .inc.php extension so your web server doesn't accidentally serve it out
as text would be to make the code more modular and secure. You're not likely
to have an included file echo'ing your database admin passwords or displaying
secure data (that it wouldn't display just by running your main script that
includes that .inc.php file)
The worst case scenario I can think of would be something like:
<?php
switch ($var) {
case "select":
// do db select function;
break;
case "insert":
// do db insert;
break;
case... whatever
break;
default:
// do database delete function (like 'delete from sometable where somecol
<> '$someundefinedvar')
break;
}
Executing an include is almost always far less dangerous than being able to
view them.
-TG
?>
= = = Original message = = =
> > Name them .inc.php so that they cannot be opened by a webbrowser, thus
> > giving more information to a potential attacker.
As always, there's another side to that augment. If you give them the
.php suffix, then they can be ran via a browser "as-is" , which may
not be something you want. Need to consider if running your includes
will do any harm.
tedd
___________________________________________________________
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
