> 1. Name all included files .inc I do this for many reasons, but mainly > to help me know which are executables, and which are includes. It also > helps with step 3.
Just for an added layer of security (incase step 3 isnt effective due to mis-configuration or what have you), name them .inc.php and at the top of the code put something like this (eg: filename == mysql.inc.php): if ($SCRIPT_NAME=="/inc/mysql.inc.php") die("you shouldnt be talking to me!"); or if your really clever - you could throw a 404: not found or a 301: access denied. This also means that your script will be relatively harmless and the PHP code would never be divulged. If it was in a .inc file alone, then if the ..htaccess wasnt being effective (or it was accidentally uploaded to an alternate location) then it would be completely exposed. > 3. Include a .htaccess file in the /inc/ directory (or further up > towards your docroot with the following: > > <Files ~ "\.inc$"> > Order Allow,Deny > Deny from all > </Files> Change the first line to <Files ~ "\.inc.php$"> in order to fit this more secure procedure. -- Dan Hardiker [[EMAIL PROTECTED]] ADAM Software & Systems Engineer First Creative Ltd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php