A good method is to create a lib directory under the application, and restrict the webserver access to it, like this:
if the application is: /myapps/myapp.php, you include "lib/os_secrets.xyz". in apache, you do: <Location /myapps/lib> deny from all </Location> As PHP script engine does not need webserver approval to read the file, it works fine. []s Nelson Junior [EMAIL PROTECTED] [EMAIL PROTECTED] ----- Original Message ----- From: "Gabor Hojtsy" <[EMAIL PROTECTED]> To: "Leszek Krupiński" <[EMAIL PROTECTED]> Cc: "Vip Malixi" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Sunday, November 25, 2001 7:32 PM Subject: Re: [PHP-DOC] Re: PHP: Cool PHP Tips > > > 1. always use ".php" (or > > > ".php3" for earlier versions) file name extensions for > > > include files, otherwise, crackers can view your > > > code. > > It should be writen in other way. We should warn about that > danger and inform about few methods of solving that problem. Way > other than shown above is to set .inc (or any other) extension to > be parsed by webserver. OK, this letter can give us something to talk about give ideas together and expand that security chapter... Goba
