My preference
1. if possible, store the files above your public_html directory (doc
root)... this means they cannot be over http:// by apache, if that isn't
possible:
2. use .htaccess to either block the entire directory of includes, or all
*.inc files, or whatever you think is best. Personally, I block *.inc
across all my sites, via a .htaccess file in the doc root:
<Files ~ "\.inc$">
Order Allow,Deny
Deny from all
</Files>
3. I don't think permissions (chmod) of the file will help much, since
apache needs to read the files for them to be included... you should make
sure that other users on the server cannot include() your .inc files from
their account... if they can, find a new ISP ASAP, because they're obviously
DUMB.
I personally don't like the idea of naming all inc files *.php, because
there is a CHANCE that they might be executed out of context (imagine if you
had an include file which (stupidly) worked fine within the context of your
whole site, but accidentally deleted a whole table of data if executed on
it's own... YUK!!).
The upside of naming them .php is that if the server's sys admin accidently
takes away permission for .htaccess files, or you accidentally delete your
own .htaccess file, you're still protected.
Perhaps you could consider BOTH:
<Files ~ "\.inc.php$">
Order Allow,Deny
Deny from all
</Files>
... this will prevent them being served at all... in the event that the
.htaccess is deleted or disabled, you can rest easy that PHP will parse
them, so that they cannot see the raw file.
By the way, this has been discussed in the archives MANY times, so do some
background research first... or even right now :)
Justin
on 18/02/03 8:17 AM, PR ([EMAIL PROTECTED]) wrote:
> Hello,
>
> How can I protect my php files among other files like templates
> (.inc) and mysql config (config.inc) files being copied/read/imported (front
> page)/used by other applications other than my
> site...
>
> can this be done by htaccess? is so , could anyone point me into right
> direction?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
