(Sorry if I've already sent this.)

I agree. But, I don't really see any problem having *.inc files as *.inc.php
(so that they'll be executed by Apache) esp. IF the config file have only
this: (Even if this is executed nothing shows up...)


  $my_super_user = 'blahblah';
  $my_super_password = 'blahblahblah';


I just thought this is worth knowing esp. if there's no way you can use
.htaccess. (Of course, if you can't use .htaccess, you might want to change
ISPs or set up your own server but that is for a different topic :)

- E

> This explanation from Justin is worth saving.
> I also like to call all of my included modules *.inc, and I prefer to
> store them outside of document root.
> However, if you want to keep all of your files together, the .htaccess
> file shown below is the best way to restrict direct access to modules.
> Some people make the mistake of simply making *.inc files considered PHP
> by Apache (claiming it is better to execute them than to have their
> source code displayed), but this gives attackers the opportunity to
> execute your modules out of context - a very dangerous approach.
> One extra note worth adding is that you should add this configuration to
> your httpd.conf if you are the Web server administrator. This will keep
> you from having to remember the .htaccess file everywhere. Justin's
> method is best for when you do not have this option.
> Chris
> Justin French wrote:
> >I place name all my included files *.inc... I place them all in a folder
> >/inc/ and place a .htaccess file in that directory to restrict the files
> >being served of HTTP:
> >
> ><Files ~ "\.inc$">
> >    Order Allow,Deny
> >    Deny from all
> ></Files>
> >
> >Another option would be to place them in a folder ABOVE your web root, so
> >that Apache can't serve them -- if you have that option.
> >
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to