Richard Lynch wrote:
On Thu, November 2, 2006 3:01 pm, Alan Milnes wrote:
Don't call files .inc - call them .inc.php if you really must have the
inc somewhere, that way the Web Server will actually treat it as a php
file and not display your details to the world if accessed directly.
A Bad Guy can surf to them, and your PHP code gets executed completely
out of context, which you have never ever ever done any QA work on to
see what effect that would have...
Or, you could put your .inc files outside the web tree, and set
http://php.net/include_path correctly, and then the Bad Guy cannot
surf to them at all.
And you can name them .inc or .class or .dingdongthewickedwitchisdead
for all the difference it will make from a technical stand-point.
IMHO, the second option is much better.
Or you can .htaccess "Deny From All" them out... That's my preferred
solution. It keeps the include tree near the code that accompanies it
without risking anything even if they're called *.php.
jon
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
