Best solution still seems to be to keep those includes out of your document root.
bvr. On Thu, 17 Jan 2002 08:41:37 -0800 (PST), Rasmus Lerdorf wrote: >> On Wednesday, January 16, 2002, at 08:04 PM, Rasmus Lerdorf wrote: >> >> > No, it is safer to block access to .inc files with an httpd.conf rule. >> > Allowing people to execute files that were meant to be included out of >> > context could end up being much more dangerous than simply having people >> > see the source. >> > >> > -Rasmus >> > >> >> So the technique of adding ".inc" to the list of extensions in "AddType >> application/x-httpd-php" line and just having PHP parse them as PHP code >> is unwise? Or should a combination of the two be used -- parsing ".inc" >> files *AND* blocking access to them in httpd.conf? > >Correct, that is unwise. I would never register .inc as being PHP types >for the very reason I stated. Execution code out of the context it was >meant to be executed in is a very bad idea. > >-Rasmus > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
