Re: [PHP] .inc over .php
3) Block downloads on .inc files, like using a directive in httpd.conf or a .htaccess file in apache. (Or whatever on another web server.) Now, even if a user tries to view that file, it won't execute at all, thus perhaps saving you some memory and clock cycles. (And it's generally more secure than treating them as php files since the includes might do something to, say, a database that you don't want them to do unless they're included into a valid php file request.) J Jason Wong wrote: > > There are two ways to counter this: > > 1) have the .inc files in a directory outside the scope of the webserver > directory. > > 2) set the webserver to treat .inc files as php files. > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] .inc over .php
On Friday 19 April 2002 15:58, Erik Price wrote: > On Friday, April 19, 2002, at 04:10 AM, Jacob Wyke wrote: > > Why use .inc as a file extenstion when you can use .php ?? > > What are the advantages/disadvantages to using .inc? > > Is one more secure? > > Which is faster? > > Which is consider a better pratice? > > It's just to help me organize which files I use as included files (.inc) > and which files are actual PHP scripts that can be requested with a URI > (.php). > > Also, I set an Apache directive to refuse requests for any file with the > .inc extension, so my database connection info, password, etc is > (theoretically) safe from being served directly. > > > Erik Those files should be placed outside DocumentRoot (if you control the server). Then set include_path in php.ini to include that dir, and you're done. No need to rely on apache for this. -- Meir Kriheli -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] .inc over .php
I've settled on .inc.php, .class.php, etc. that way you get the best of both
worlds. Your files are identified as what they are and don't get sent out
unparsed
Tim Ward
Internet Chess www.chessish.com <http://www.chessish.com>
--
From: Jason Wong [SMTP:[EMAIL PROTECTED]]
Sent: 19 April 2002 09:28
To: [EMAIL PROTECTED]
Subject: Re: [PHP] .inc over .php
On Friday 19 April 2002 16:10, Jacob Wyke wrote:
> Just a few quick questions if anybody is out there.
Nobody here but us chickens.
> Why use .inc as a file extenstion when you can use .php ??
Just a matter of aesthetics. Some people might like to use .inc to
remind
themselves that the file is to be included and not run on its own.
> What are the advantages/disadvantages to using .inc?
None from a technical point of view
> Is one more secure?
On default webserver settings, .inc may be less secure because by
default the
webserver would not treat .inc files as php files and thus return
them as-is.
Thus if people know the name of your "filename.inc" they could
potentially
browse to it and thus see its contents.
There are two ways to counter this:
1) have the .inc files in a directory outside the scope of the
webserver
directory.
2) set the webserver to treat .inc files as php files.
> Which is faster?
No difference.
> Which is consider a better pratice?
As long as you take the necessary precautions then it boils down to
a matter
of preference.
--
Jason Wong -> Gremlins Associates -> www.gremlins.com.hk
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications
Development *
/*
"Home, Sweet Home" must surely have been written by a bachelor.
-- Samuel Butler
*/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] .inc over .php
> On Friday, April 19, 2002, at 07:22 AM, .ben wrote: > > > i'm not sure if the same rules apply to PHP but with ASP I make all my > > includes contain only functions and constants, no free mark-up, and then > > save them as .inc.asp so if requested directly they return an empty > > script. > > Until the ASP processor craps out. Or if you had any scripts in such > format they would be executed -- which might not be desirable. ASP what does what? I've never experienced anything like that... what do you mean? Confused. > Much better to keep includefiles outside of document root or set a > directive with your web server to deny requests for those files > somehow. In Apache it's as easy as > > > Order allow,deny > Deny from all > > > Not sure about IIS though. Not sure if you can do that in IIS, but the method i describe works fine. Keeping includes out of the document root leads to messy webservers ime, tho, i have worked with a messy bunch of SysAdmins in the past :) .b -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] .inc over .php
On Friday, April 19, 2002, at 07:22 AM, .ben wrote: > i'm not sure if the same rules apply to PHP but with ASP I make all my > includes contain only functions and constants, no free mark-up, and then > save them as .inc.asp so if requested directly they return an empty > script. Until the ASP processor craps out. Or if you had any scripts in such format they would be executed -- which might not be desirable. Much better to keep includefiles outside of document root or set a directive with your web server to deny requests for those files somehow. In Apache it's as easy as Order allow,deny Deny from all Not sure about IIS though. Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] .inc over .php
On Friday, April 19, 2002, at 04:10 AM, Jacob Wyke wrote: > Why use .inc as a file extenstion when you can use .php ?? > What are the advantages/disadvantages to using .inc? > Is one more secure? > Which is faster? > Which is consider a better pratice? It's just to help me organize which files I use as included files (.inc) and which files are actual PHP scripts that can be requested with a URI (.php). Also, I set an Apache directive to refuse requests for any file with the .inc extension, so my database connection info, password, etc is (theoretically) safe from being served directly. Erik Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] .inc over .php
Hi By using .inc you can be sure they will not get executed out of context which can be dangerous, but also you should add this to apache config to stop them being delivered as plain text which can also be dangerous. I don't know about IIS but I guess they have something similar. Order allow,deny Deny from all Tom At 06:10 PM 19/04/2002, you wrote: >Just a few quick questions if anybody is out there. > >Why use .inc as a file extenstion when you can use .php ?? >What are the advantages/disadvantages to using .inc? >Is one more secure? >Which is faster? >Which is consider a better pratice? > >Thanks a lot. > > > > >_ >Do You Yahoo!? >Get your free @yahoo.com address at http://mail.yahoo.com > > >-- >PHP General Mailing List (http://www.php.net/) >To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] .inc over .php
i'm not sure if the same rules apply to PHP but with ASP I make all my includes contain only functions and constants, no free mark-up, and then save them as .inc.asp so if requested directly they return an empty script. .b > -Original Message- > From: Jason Wong [mailto:[EMAIL PROTECTED]] > Sent: 19 April 2002 11:38 > To: [EMAIL PROTECTED] > Subject: Re: [PHP] .inc over .php > > > On Friday 19 April 2002 17:31, Danny Shepherd wrote: > > A third way could be to append .php onto those files too, > giving .inc.php, > > .class.php etc. > > > > > IOW make them into .php files? > > > -- > Jason Wong -> Gremlins Associates -> www.gremlins.com.hk > Open Source Software Systems Integrators > * Web Design & Hosting * Internet & Intranet Applications Development * > > /* > So, is the glass half empty, half full, or just twice as > large as it needs to be? > */ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] .inc over .php
On Friday 19 April 2002 17:31, Danny Shepherd wrote: > A third way could be to append .php onto those files too, giving .inc.php, > .class.php etc. > IOW make them into .php files? -- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * /* So, is the glass half empty, half full, or just twice as large as it needs to be? */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] .inc over .php
A third way could be to append .php onto those files too, giving .inc.php, .class.php etc. Danny. > There are two ways to counter this: > > 1) have the .inc files in a directory outside the scope of the webserver > directory. > > 2) set the webserver to treat .inc files as php files. > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] .inc over .php
On Friday 19 April 2002 16:10, Jacob Wyke wrote: > Just a few quick questions if anybody is out there. Nobody here but us chickens. > Why use .inc as a file extenstion when you can use .php ?? Just a matter of aesthetics. Some people might like to use .inc to remind themselves that the file is to be included and not run on its own. > What are the advantages/disadvantages to using .inc? None from a technical point of view > Is one more secure? On default webserver settings, .inc may be less secure because by default the webserver would not treat .inc files as php files and thus return them as-is. Thus if people know the name of your "filename.inc" they could potentially browse to it and thus see its contents. There are two ways to counter this: 1) have the .inc files in a directory outside the scope of the webserver directory. 2) set the webserver to treat .inc files as php files. > Which is faster? No difference. > Which is consider a better pratice? As long as you take the necessary precautions then it boils down to a matter of preference. -- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * /* "Home, Sweet Home" must surely have been written by a bachelor. -- Samuel Butler */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
