> On Thu, 17 Jan 2002, [EMAIL PROTECTED] wrote:
> > I've seen a number of sites for example that didn't have the .inc extension 
> > include() doesn't care about that, but if your includes are under the document 
>root of your
> > website  (that happens a lot too, i don't know why ?) and you specify the exact 
>name of
> > the include in your browser (or worse, the directory is browsable from the web), 
>the webserver
> > will default to text/plain content and display the source. Bad thing since 
>includes usually contain
> > passwords and stuff.
> I agree with this, since I saw such mistakes wit my own eyes. IMHO, the
> best way to avoid this kind of problems is to:
> (1) avoid using .inc files; use .php files like for normal script

No, it is safer to block access to .inc files with an httpd.conf rule.
Allowing people to execute files that were meant to be included out of
context could end up being much more dangerous than simply having people
see the source.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to