On Thu, 17 Jan 2002, [EMAIL PROTECTED] wrote:
> I've seen a number of sites for example that didn't have the .inc extension 
> include() doesn't care about that, but if your includes are under the document root 
>of your
> website  (that happens a lot too, i don't know why ?) and you specify the exact name 
> the include in your browser (or worse, the directory is browsable from the web), the 
> will default to text/plain content and display the source. Bad thing since includes 
>usually contain
> passwords and stuff.

It also doesn't make a difference to PHP if your include files are in the
web server's document root, or not.  If you have important information in
your include files, you'll be better off placing them in a directory which
is not in your web server's document root.

The web server will still need to access them, so you'll probably have to
leave the permissions on the directory/files such that any users on the
local system can read them (just like docs in the web root ... this is not
a change), but at least the whole world isn't one HTTP request away from
obtaining your important information.

If you are the server's admin, or know the person well, you can tighten
the file permissions down more with a little administrative work ...
adding a new group of which your user and the web server are a member, and
only permitting access to your files to that group and yourself.

        ~Chris                           /"\
                                         \ /     September 11, 2001
                                          X      We Are All New Yorkers
                                         / \     rm -rf /bin/laden

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to