> j> Name them blahblah.inc.php or something that will be parsed, and
> j> therefore not just gurped up by the server.
>
> I think, more secure is move inc file out www tree.
>
I agree with this completely. The only thing about that is that some
admins want a quick and dirty install. And, so it's just been my
experience that you can limit your vulnerabilities by renaming them to
.php.
If you can do both, it's ideal. I've seen (and found) some security
holes where it was possible to read files on the file system by using
the webserver process. If that file is just a list of $var="blah" or
function definitions, and does not end with a parsable extension (.php)
then the file is presented to the browser in completely readable format.
If it is parsed, then all the browser gets is a blank page.
That's kind of what I was saying.
You're right though, that out of the webserver tree is better.
jeremy
--
Jeremy Kelley <[EMAIL PROTECTED]> pgp keyid 0xAECBA355
Phil 1:21 www.ganooz.com
Car pour moi, la vie c'est le Christ, et la mort est un gain.
> -----Original Message-----
> From: Andrew Sitnikov [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, January 17, 2001 15:39
> To: jeremy
> Cc: Jamie Burns; [EMAIL PROTECTED]
> Subject: Re[2]: [PHP] how do i hide my .inc files in apache??
>
>
> Hello jeremy,
>
> j> don't name them .inc files.
>
>
> j> Name them blahblah.inc.php or something that will be parsed, and
> j> therefore not just gurped up by the server.
>
> I think, more secure is move inc file out www tree.
>
> /home/user/public_html/index.php
> /home/user/include/lib.inc
>
> index.php
> <?
> include('/home/user/include/lib.inc');
> ?>
>
>
> Best regards,
> Andrew Sitnikov
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
