> How'd anyone be able to pull out my PHP source anyway? Since it's an
> server, it'll only respond to http requests, and since php is
> upon request, the enitre source will be altered to just html ... don't
> that ... 

Yeah, that's true if you give it a .php extension. But, you have to
remember that anyone can now run the php page and have it executed out
of context. It may or may not be an issue, depending on your code. 

> atleast the way I do it, the path to the included files is
> hidden, 'cause it's all variable controlled ... it just plugs together
> variable with some path parts, directly in the include(...).
> So for anyone to pull the includes, they'll need to know the exact
path to
> them, in order to retrieve them, right?

Security through obscurity. Give someone a reason and they'll figure out
the path. I think the best solution for you right now is to go ahead and
give them a .php extension, but be aware of what will happen when that
script is run by itself, with register globals on or off. 

---John Holmes...

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to