well...
  i don't think there should be any problem if the included file is a class 
(right???)
come to think about it,
  is it possible to create an object by passing a url like 
this:   file.inc?file=new mysql&file->conn() i mean would this run the class??


regards

At 05:00 14/07/01, Rasmus Lerdorf wrote:
> > there should not be any problem if your web server is configured to parse
> > .inc extentions as PHP, in wich case, even if the file is called
> > separately, the server will strip php tags and send normal html output.
>
>Once again, don't do this.
>
>If you write your .inc files assuming they are going to be running in the
>context of a larger framework where they are included into you are likely
>to miss things that could be a security problem if they are run by
>themselves via something like: file.inc?file=/etc/passswd
>
>You are better off letting people see the source code to your .inc file as
>opposed to letting people execute them out of context.
>
>Obviously the most secure way is to simply put all your include files
>outside of your document_root so they can't be accessed directly.
>
>Or, alternatively add a simple rule to your httpd.conf:
>
>   <Files ~ "\.inc$">
>       Order allow,deny
>       Deny from all
>   </Files>
>
>-Rasmus



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to