> 1. Name all included files .inc I do this for many reasons, but mainly
> to help me know which are executables, and which are includes. It also
> helps with step 3.
Just for an added layer of security (incase step 3 isnt effective due to
mis-configuration or what have you), name them .inc.php and at the top of
the code put something like this (eg: filename == mysql.inc.php):
if ($SCRIPT_NAME=="/inc/mysql.inc.php")
die("you shouldnt be talking to me!");
or if your really clever - you could throw a 404: not found or a 301:
access denied.
This also means that your script will be relatively harmless and the PHP
code would never be divulged. If it was in a .inc file alone, then if the
..htaccess wasnt being effective (or it was accidentally uploaded to an
alternate location) then it would be completely exposed.
> 3. Include a .htaccess file in the /inc/ directory (or further up
> towards your docroot with the following:
>
> <Files ~ "\.inc$">
> Order Allow,Deny
> Deny from all
> </Files>
Change the first line to <Files ~ "\.inc.php$"> in order to fit this more
secure procedure.
--
Dan Hardiker [[EMAIL PROTECTED]]
ADAM Software & Systems Engineer
First Creative Ltd
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
