This explanation from Justin is worth saving.

I also like to call all of my included modules *.inc, and I prefer to 
store them outside of document root.

However, if you want to keep all of your files together, the .htaccess 
file shown below is the best way to restrict direct access to modules. 
Some people make the mistake of simply making *.inc files considered PHP 
by Apache (claiming it is better to execute them than to have their 
source code displayed), but this gives attackers the opportunity to 
execute your modules out of context - a very dangerous approach.

One extra note worth adding is that you should add this configuration to 
your httpd.conf if you are the Web server administrator. This will keep 
you from having to remember the .htaccess file everywhere. Justin's 
method is best for when you do not have this option.


Justin French wrote:

>I place name all my included files *.inc... I place them all in a folder
>/inc/ and place a .htaccess file in that directory to restrict the files
>being served of HTTP:
><Files ~ "\.inc$">
>    Order Allow,Deny
>    Deny from all
>Another option would be to place them in a folder ABOVE your web root, so
>that Apache can't serve them -- if you have that option.

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to