Best solution still seems to be to keep those includes out of your document root.


On Thu, 17 Jan 2002 08:41:37 -0800 (PST), Rasmus Lerdorf wrote:

>> On Wednesday, January 16, 2002, at 08:04  PM, Rasmus Lerdorf wrote:
>> > No, it is safer to block access to .inc files with an httpd.conf rule.
>> > Allowing people to execute files that were meant to be included out of
>> > context could end up being much more dangerous than simply having people
>> > see the source.
>> >
>> > -Rasmus
>> >
>> So the technique of adding ".inc" to the list of extensions in "AddType
>> application/x-httpd-php" line and just having PHP parse them as PHP code
>> is unwise?  Or should a combination of the two be used -- parsing ".inc"
>> files *AND* blocking access to them in httpd.conf?
>Correct, that is unwise.  I would never register .inc as being PHP types
>for the very reason I stated.  Execution code out of the context it was
>meant to be executed in is a very bad idea.

PHP General Mailing List (
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to