On 14-Jul-01 Rasmus Lerdorf wrote:

>> I wrote (attribution added)
>> Enough already.
>>  Whom should we flog and keel-haul for starting this include(foo.inc) crap
>>  ?!?
> There is nothing wrong with naming include files with a separate
> extension.  

In the context of C files: *.c *.h . Then i'll go along with that. but most C
programs are not out for perusal by the world via HTTP.

>        In fact it is more secure as long as you block access to files
> with that extension.  

Not everybody has root on their server, and few hosting providers care or have
enough clues to do this as the default. And even if they cared, Ghod knows they
couldn't find any clues in the PHP documentation:

localhost.dread$ pwd
localhost.dread$ grep -i Deny * | wc -l

>                      Naming your include files with the .php extension
> opens you up to possible out-of-context parsing security issues.

It's late, I've had a couple of beers, and in the morning I'll spend some
effort trying to imagine such issues. In the mean-time I'd welcome any
real-life examples.

To my mind, you've two basic contexts: common functions & static data.
It's pointless in naming one .php and the other .inc; it means nothing to
the program (whereas in C if you switch around the *.c & *.h; yea verily, 
your Makefile will care).

Consider another slant;  tomorrow i'll start posting code:



How many follow-ups ya think that'll generate ? & How many newbies will later
come asking "How do I keep the world from reading my passwords ?"

Will you then suggest they modify their http.conf ? 
 - Or will you say: 
    "Dammit, Don Read, stop posting that crap !"

And *that's* what i'm saying:
    "Dammit, folks, stop (or at least don't post examples) using *.inc "

There is no compelling reason to use it.

> -Rasmus

With all my respect, Rasmus. I disagree.

Don Read                                       [EMAIL PROTECTED]
-- It's always darkest before the dawn. So if you are going to 
   steal the neighbor's newspaper, that's the time to do it.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to