From: "Chris W. Parker" <[EMAIL PROTECTED]>
> > You're right. Option 2 offers more security in that no one will ever
> > be able to reach the file directly with a web browser. You don't need
> > to use file() or file_get_contents(), though... A simple
> > include('../includes/db.inc'); wil work (where ../ takes you outside
> > of the webroot and into an includes/ directory for the db.inc file).
> > Or use an absolute path include('/home/user/includes/db.inc'); where
> > /home/user/www/ is your webroot (for example).
>
> how about just calling 'db.php' so that when someone does request it via
> a web browser it will be parsed and end up not sending any data to the
> client?We'll call that Option 3, which is a viable option if you cannot do Option 2 (store outside of webroot). The problems with this method is that if PHP ever fails for any reason, the file may be delivered as plain text. It can also be run "out of context". For a db connection script, this could mean that someone could program a bot to hit this script multiple times and use up your database connections and slow things down. If the file runs normal PHP code, depending upon how it's written, it could be run "out of context" and perhaps generate useful errors to people profiling your application or possibly show data that wasn't intended to be shown by itself (imagine an .inc file that generates a table from the database that's normally protected by surrounding PHP code, but now it can be run by itself). Option 4 would be to place the files in an .htaccess protected directory. Again, though, if Apache were to fail for any reason, the file could be served as plain text. This option is also not portable to other web servers, so that could be an issue. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
