Re: [PHP] [Files suffix] .inc.php files
On Tue, May 31, 2005 10:55 am, Leif Gregory said: Hello Martin, Sunday, May 29, 2005, 9:24:00 PM, you wrote: M I saw files like file.inc.php and file.inc M What is the *.inc suffix good for ? It's good for a lot of trouble if the webserver hasn't been set up to parse .inc files as PHP. If it hasn't then someone can request that file in a broswer and see the code. Gak! It's good for even *MORE* trouble if the webserver is set up to parse .inc as PHP! You've got files that people can get executed *COMPLETELY* out of context, that *NOBODY* even though about being executed out of context, much less *TESTED* in any kind of QA process! I can surf to http://example.com/admin.inc and who knows what will happen if that PHP code in there gets executed without all the code you expected to be executed before that code? I'd just stay away from using .inc for an include and do either of the below: config.inc.php or just config.php Neither of which solve the base problem: The *REAL* solution is to put your .inc files *OUTSIDE* the web-tree where they simply CANNOT be executed out of context (by surfing to them) and cannot be downloaded by Bad Guys looking for holes. You can also add code to the beginning of every .inc file which attempts to examine the state of the HTTP request to determine that it is not being called out of context, but that's a pain to have to put in every file, or to have to remember to include the include file that does that, and to hope that every developer (or even just you) remembers to do that. It's really much easier to just fix your include_path, move the files where they cannot get accessed, and be done with it. Just my opinion. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [Files suffix] .inc.php files
On 1 Jun 2005, at 06:22, Richard Lynch wrote: You've got files that people can get executed *COMPLETELY* out of context, that *NOBODY* even though about being executed out of context, much less *TESTED* in any kind of QA process! I can surf to http://example.com/admin.inc and who knows what will happen if that PHP code in there gets executed without all the code you expected to be executed before that code? There is one simple habit that can mitigate this issue, and it's one I see very often: make your .inc.php and .class.php files do nothing. If you .inc files contain only function and constant definitions, and your .class files contain only class definitions, then nothing will happen when you run them - a bunch of functions or a class will get defined, but if nothing is run, they will just be forgotten. This route has a major advantage when it comes to deployment - you can just stick all your files in one place, and it will work without risk. Another simple approach is to put all your included files in a directory that contains a .htaccess file to prevent direct access to them. They can still be included from your PHP scripts. Marcus -- Marcus Bointon Synchromedia Limited: Putting you in the picture [EMAIL PROTECTED] | http://www.synchromedia.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [Files suffix] .inc.php files
moving outside the webtree is the best option, where practical. Calling the files whatever.inc.php allows you to disallow access to .inc.php files via the apache config file. On 6/1/05, Richard Lynch [EMAIL PROTECTED] wrote: On Tue, May 31, 2005 10:55 am, Leif Gregory said: Hello Martin, Sunday, May 29, 2005, 9:24:00 PM, you wrote: M I saw files like file.inc.php and file.inc M What is the *.inc suffix good for ? It's good for a lot of trouble if the webserver hasn't been set up to parse .inc files as PHP. If it hasn't then someone can request that file in a broswer and see the code. Gak! It's good for even *MORE* trouble if the webserver is set up to parse .inc as PHP! You've got files that people can get executed *COMPLETELY* out of context, that *NOBODY* even though about being executed out of context, much less *TESTED* in any kind of QA process! I can surf to http://example.com/admin.inc and who knows what will happen if that PHP code in there gets executed without all the code you expected to be executed before that code? I'd just stay away from using .inc for an include and do either of the below: config.inc.php or just config.php Neither of which solve the base problem: The *REAL* solution is to put your .inc files *OUTSIDE* the web-tree where they simply CANNOT be executed out of context (by surfing to them) and cannot be downloaded by Bad Guys looking for holes. You can also add code to the beginning of every .inc file which attempts to examine the state of the HTTP request to determine that it is not being called out of context, but that's a pain to have to put in every file, or to have to remember to include the include file that does that, and to hope that every developer (or even just you) remembers to do that. It's really much easier to just fix your include_path, move the files where they cannot get accessed, and be done with it. Just my opinion. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [Files suffix] .inc.php files
Leif Gregory wrote: Hello Martin, Sunday, May 29, 2005, 9:24:00 PM, you wrote: M I saw files like file.inc.php and file.inc M What is the *.inc suffix good for ? It's good for a lot of trouble if the webserver hasn't been set up to parse .inc files as PHP. If it hasn't then someone can request that file in a broswer and see the code. PHP will parse the file when called via include() or require(), no matter the extension and how the web server is configured. Now if a user tries to access the file directly, then the webserver comes into playbut one would think that you don't want include files accessed directly anyway. Best ways to do this is to put them outside of document root, give them a unique extension (like .inc or .inc.php) that you can filter out in Apache, and put some 'security measure' in the file itself (like checking to see if a constant is set). -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] [Files suffix] .inc.php files
[snip] I saw files like file.inc.php and file.inc What is the *.inc suffix good for ? Thank you for replies. [/snip] Once is enough...wait for an answer. The suffix is good for identifying files. For instance, say you have a group of standard functions that you use in all applications. You can call it functions.inc (inc stands for 'include'). It is an organizational method. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [Files suffix] .inc.php files
sorry Martin, forgot to post to list! oh and the list is a little overworked so don't go posting double if your post doesn't appear immediately... it will get there eventually ;-) Martin Zvarik wrote: Hi, I saw files like file.inc.php and file.inc I saw penguins :-) What is the *.inc suffix good for ? differentiating between different 'types' of files - i.e. those with a .inc extension usually denote files which are included as apposed to being called 'directly' from the browser. another type of file name you might see is 'file.class.php' for files which contain (usually a single) class definitions or 'file.funcs.php' for files which just contain a 'library' of functions. basically name your files anyway you see fit, php does not care - do bare in mind that yor webserver needs to be configured to recognize you php files (which is usually done by way of file extension) - ?php // this will work as expected - assuming such a // file actually exists somewhere alogn your include_path. include_once 'crufty-include-rubbish'; ? hth Thank you for replies. Martin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [Files suffix] .inc.php files
Hello Martin, Sunday, May 29, 2005, 9:24:00 PM, you wrote: M I saw files like file.inc.php and file.inc M What is the *.inc suffix good for ? It's good for a lot of trouble if the webserver hasn't been set up to parse .inc files as PHP. If it hasn't then someone can request that file in a broswer and see the code. I'd just stay away from using .inc for an include and do either of the below: config.inc.php or just config.php Whichever floats your boat. -- Leif (TB lists moderator and fellow end user). Using The Bat! 3.5.20 under Windows XP 5.1 Build 2600 Service Pack 2 on a Pentium 4 2GHz with 512MB -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
