On Tuesday 10 July 2001 12:02 am, Rasmus Lerdorf wrote:
> > >     I come for advice once again. Say i have a file dbconnect.inc which
> > > connects to my database. Now if this file is located in a directory
> > > accessible for to the web is there anyway that if someone types in that
> > > file i can detect it being accessed, instead of included, and redirect
> > > them elsewhere?
> > >
> > > Thanks guys!
> > >
> > > - Noah
> >
> > The best compromise I have seen is to name your file -> somefile.inc.php
> No, don't do that.  Protect *.inc files from being accessed by adding a
> rule like this to your httpd.conf:
>   <Files ~ "\.inc$">
>       Order allow,deny
>       Deny from all
>   </Files>
> If you name include files with a .php extension and these files are
> designed to be used as included files then loading them directly out of
> context could be a security problem.  You are much better off naming your
> files some non-PHP extension and blocking all direct access to these
> files, or better yet, put your include files somewhere outside your
> document_root.
> -Rasmus

Sorry, I should have been more clear.  If you write modular code, your 
included file will be nothing but a group of functions.  Call a file with 
nothing but functions in it and you get; <HTML><HEAD></HEAD></HTML>.  I can't 
see the security problem you refer to. 
John Weaver

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to