> there should not be any problem if your web server is configured to parse
> .inc extentions as PHP, in wich case, even if the file is called
> separately, the server will strip php tags and send normal html output.

Once again, don't do this.

If you write your .inc files assuming they are going to be running in the
context of a larger framework where they are included into you are likely
to miss things that could be a security problem if they are run by
themselves via something like: file.inc?file=/etc/passswd

You are better off letting people see the source code to your .inc file as
opposed to letting people execute them out of context.

Obviously the most secure way is to simply put all your include files
outside of your document_root so they can't be accessed directly.

Or, alternatively add a simple rule to your httpd.conf:

  <Files ~ "\.inc$">
      Order allow,deny
      Deny from all


PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to