On Mon, 2009-03-09 at 15:23 -0500, Larry Garfield wrote:
> On Monday 09 March 2009 3:07:17 pm Nathan Rixham wrote:
> > Ashley Sheridan wrote:
> > > Just thought I'd point out that it's recommended against giving non-php
> > > extensions to PHP code pages. Basically, making all of your include
> > > files .inc without the server correctly configured to recognise all .inc
> > > files as PHP files, you are opening yourself up to possible hacks where
> > > people put the URL of your include directly in their browser and view
> > > all your code. Best thing is usually to name files like this:
> > > filename.inc.php or some-such, and not filename.inc.
> >
> > v well said - one thing you never want is your source showing!
> Unless you're working in open source and then the source is showing anyway 
> from the original download site.  And if simply knowing your source code is a 
> security hole, then you have bad software.
> Your config file with passwords and such, sure, keep that locked down tight.  
> But don't rely on security through obscurity.
> -- 
> Larry Garfield
> la...@garfieldtech.com
I was talking about includes that have things such as database
connection information and other sensitive things. By making it a PHP
file, you prevent the code from being seen, ergo you hide your password,
etc. phpMyAdmin does it this way, using a config.inc.php file for
holding the connection information to each database.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to