Thanks guys. That really helpful.

Chuck Payne

On 9/21/02 10:16 PM, "Chris Shiflett" <[EMAIL PROTECTED]> wrote:

> This explanation from Justin is worth saving.
> I also like to call all of my included modules *.inc, and I prefer to
> store them outside of document root.
> However, if you want to keep all of your files together, the .htaccess
> file shown below is the best way to restrict direct access to modules.
> Some people make the mistake of simply making *.inc files considered PHP
> by Apache (claiming it is better to execute them than to have their
> source code displayed), but this gives attackers the opportunity to
> execute your modules out of context - a very dangerous approach.
> One extra note worth adding is that you should add this configuration to
> your httpd.conf if you are the Web server administrator. This will keep
> you from having to remember the .htaccess file everywhere. Justin's
> method is best for when you do not have this option.
> Chris
> Justin French wrote:
>> I place name all my included files *.inc... I place them all in a folder
>> /inc/ and place a .htaccess file in that directory to restrict the files
>> being served of HTTP:
>> <Files ~ "\.inc$">
>>    Order Allow,Deny
>>    Deny from all
>> </Files>
>> Another option would be to place them in a folder ABOVE your web root, so
>> that Apache can't serve them -- if you have that option.

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to