My preference 1. if possible, store the files above your public_html directory (doc root)... this means they cannot be over http:// by apache, if that isn't possible:
2. use .htaccess to either block the entire directory of includes, or all *.inc files, or whatever you think is best. Personally, I block *.inc across all my sites, via a .htaccess file in the doc root: <Files ~ "\.inc$"> Order Allow,Deny Deny from all </Files> 3. I don't think permissions (chmod) of the file will help much, since apache needs to read the files for them to be included... you should make sure that other users on the server cannot include() your .inc files from their account... if they can, find a new ISP ASAP, because they're obviously DUMB. I personally don't like the idea of naming all inc files *.php, because there is a CHANCE that they might be executed out of context (imagine if you had an include file which (stupidly) worked fine within the context of your whole site, but accidentally deleted a whole table of data if executed on it's own... YUK!!). The upside of naming them .php is that if the server's sys admin accidently takes away permission for .htaccess files, or you accidentally delete your own .htaccess file, you're still protected. Perhaps you could consider BOTH: <Files ~ "\.inc.php$"> Order Allow,Deny Deny from all </Files> ... this will prevent them being served at all... in the event that the .htaccess is deleted or disabled, you can rest easy that PHP will parse them, so that they cannot see the raw file. By the way, this has been discussed in the archives MANY times, so do some background research first... or even right now :) Justin on 18/02/03 8:17 AM, PR ([EMAIL PROTECTED]) wrote: > Hello, > > How can I protect my php files among other files like templates > (.inc) and mysql config (config.inc) files being copied/read/imported (front > page)/used by other applications other than my > site... > > can this be done by htaccess? is so , could anyone point me into right > direction? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php