On Tuesday 10 July 2001 12:02 am, Rasmus Lerdorf wrote:
> > > I come for advice once again. Say i have a file dbconnect.inc which
> > > connects to my database. Now if this file is located in a directory
> > > accessible for to the web is there anyway that if someone types in that
> > > file i can detect it being accessed, instead of included, and redirect
> > > them elsewhere?
> > >
> > > Thanks guys!
> > >
> > > - Noah
> >
> > The best compromise I have seen is to name your file -> somefile.inc.php
>
> No, don't do that. Protect *.inc files from being accessed by adding a
> rule like this to your httpd.conf:
>
> <Files ~ "\.inc$">
> Order allow,deny
> Deny from all
> </Files>
>
> If you name include files with a .php extension and these files are
> designed to be used as included files then loading them directly out of
> context could be a security problem. You are much better off naming your
> files some non-PHP extension and blocking all direct access to these
> files, or better yet, put your include files somewhere outside your
> document_root.
>
> -Rasmus
Sorry, I should have been more clear. If you write modular code, your
included file will be nothing but a group of functions. Call a file with
nothing but functions in it and you get; <HTML><HEAD></HEAD></HTML>. I can't
see the security problem you refer to.
--
Regards,
John Weaver
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
