> > (1) avoid using .inc files; use .php files like for normal script > > No, it is safer to block access to .inc files with an httpd.conf rule.
The way I approach this, besides blocking execution, is to put any sensitive files in a directory above the Document Root for the virtual domain. PHP can then reach it, but Apache won't. /var/www/domain.name /var/www/domain.name/htdocs <-- php scripts go here /var/www/domain.name/private <-- inc files go here Billy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]