On Thu, 17 Jan 2002, [EMAIL PROTECTED] wrote:

> I've seen a number of sites for example that didn't have the .inc extension 
> include() doesn't care about that, but if your includes are under the document root 
>of your
> website  (that happens a lot too, i don't know why ?) and you specify the exact name 
> the include in your browser (or worse, the directory is browsable from the web), the 
> will default to text/plain content and display the source. Bad thing since includes 
>usually contain
> passwords and stuff.

I agree with this, since I saw such mistakes wit my own eyes. IMHO, the
best way to avoid this kind of problems is to:

(1) avoid using .inc files; use .php files like for normal script
(2) turn Indexes directive to off by default per website
(3) make directories 711 instead of 755
(4) develop an organized php scripts structure outside DocumentRoot and
place the files that you will eventually include in an "include"
sudirectory within that structure
(5) review changes all the time, check your weblogs and be vigillent :-)


Radu Filip
                           Network Administrator @ Technical University of Iasi
[EMAIL PROTECTED]             Information Technology and Communication Center
http://socrate.tuiasi.ro/  [EMAIL PROTECTED] | http://ccti.tuiasi.ro/

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to