Mayer, Jonathan wrote:




Just thought I'd point out that it's recommended against giving non-php
extensions to PHP code pages. Basically, making all of your include
files .inc without the server correctly configured to recognise all .inc
files as PHP files, you are opening yourself up to possible hacks where
people put the URL of your include directly in their browser and view
all your code.

Easily solveable by keeping your include files in a directory outside the web root. IE in a directory apache (or whatever server you use) does not serve.

If you have any include files that have sensitive information (IE database username/password, the salt/algorithm you use to create a user password hash, etc.) then having an include directory outside the web root is a must anyway - with or without a .php extension on those files (if apache fails to load the php module for whatever reason on a restart, those .php files may be sent plain text).

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to