> On Wednesday, January 16, 2002, at 08:04 PM, Rasmus Lerdorf wrote: > > > No, it is safer to block access to .inc files with an httpd.conf rule. > > Allowing people to execute files that were meant to be included out of > > context could end up being much more dangerous than simply having people > > see the source. > > > > -Rasmus > > > > So the technique of adding ".inc" to the list of extensions in "AddType > application/x-httpd-php" line and just having PHP parse them as PHP code > is unwise? Or should a combination of the two be used -- parsing ".inc" > files *AND* blocking access to them in httpd.conf?
Correct, that is unwise. I would never register .inc as being PHP types for the very reason I stated. Execution code out of the context it was meant to be executed in is a very bad idea. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]