> So, I want to rename them to *.inc.php
No, you don't. :-)
That allows hackers to surf to individual pieces of your code in <deity>
knows what circumstances and do an end-run around any data-sanitizing you
have in your .php files... That's even worse for security than revealing
the contents of your .inc files in the first place.
What you *REALLY* want is to force Apache via httpd.conf or .htaccess simply
*NOT* server up any .inc files, or, better yet, to move your .inc files out
of the web-tree *entirely* and use include_path to get them include-able by
PHP.
For example:
Assume that your web-server currently looks kinda like this:
/your-home-dir
/htdocs
index.php
coolpage.php
whatever.inc
somemore.inc
Do this:
/your-home-dir
whatever.inc
somemore.inc
/htdocs
.htaccess
index.php
coolpage.php
So now your .inc files aren't even visible to a web-surfer, no matter what
your httpd.conf looks like. Well, unless you're silly enough to screw up
and set up your home dir inside a DocumentRoot at some point... You'd have
to be pretty asleep to do that, though...
---------- .htaccess -------------
php_value include_path "./:/full/path/to/your-home-dir"
----------------------------------
You can use <?php phpinfo();?> in your /htdocs directory to find out the
full path bit you need above. Throw it away as soon as you're done with it
though, as phpinfo() reveals far too much about your web-server to leave it
laying around for hackers to peruse.
--
WARNING [EMAIL PROTECTED] address is an endangered species -- Use
[EMAIL PROTECTED]
Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm
Volunteer a little time: http://chatmusic.com/volunteer.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
