> 1. Name all included files .inc I do this for many reasons, but mainly
> to help me know which are executables, and which are includes.  It also
> helps with step 3.

Just for an added layer of security (incase step 3 isnt effective due to
mis-configuration or what have you), name them .inc.php and at the top of
the code put something like this (eg: filename == mysql.inc.php):

if ($SCRIPT_NAME=="/inc/mysql.inc.php")
  die("you shouldnt be talking to me!");

or if your really clever - you could throw a 404: not found or a 301:
access denied.

This also means that your script will be relatively harmless and the PHP
code would never be divulged. If it was in a .inc file alone, then if the
..htaccess wasnt being effective (or it was accidentally uploaded to an
alternate location) then it would be completely exposed.

> 3. Include a .htaccess file in the /inc/ directory (or further up
> towards your docroot with the following:
> <Files ~ "\.inc$">
>     Order Allow,Deny
>     Deny from all
> </Files>

Change the first line to <Files ~ "\.inc.php$"> in order to fit this more
secure procedure.

Dan Hardiker [[EMAIL PROTECTED]]
ADAM Software & Systems Engineer
First Creative Ltd

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to