Re: [PHP] .INC files
On Thu, 02 Jun 2005 00:44:12 -0400, in php.general [EMAIL PROTECTED] (Chris Shiflett) wrote: 3. The debate between storing includes outside of document root versus using a .php file extension, instructing Apache to process .inc files as PHP, instructing PHP to deny requests for .inc files, etc. I agree regarding code on your own server/project. I do believe that the situation is another when you are manager of some project where your php code is being distributed to several different systems beyond your control (think phpmyadmin, phpnuke, etc. - maybe not the best examples regarding security record, though :-) In that case, one could create some requirements regarding the installation of the php application that some customers at web hosting companies might not be able to follow (e.g. create a .htaccess denying .inc-files, create folders outsite of webscope), or one could make a trade-off between ease of installation and highed security. One way of achieving this could be the sole use of .php-extensions (and code constructed in a way that direct access would cause no harm). I believe that there is reason to differ in these two cases for practical reasons. In the latter case a lot of assumptions could cause damage. Poorly implemented high security could be worse than moderate, application based security. -- - Peter Brodersen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] .INC files
OK... Let me explain a couple things...
On Wed, June 1, 2005 1:29 am, Denis Gerasimov said:
Second, which way are you differ PHP .inc files from HTML .inc files?
There is no such thing as an HTML .inc file. :-)
I see what you mean... but I use templating systems to separate code from
design, so I have to differ PHP .inc files from HTML .inc files ;-)
All your HTML .inc files, by definition, if they are being require'd or
include'd into PHP *are* PHP .inc files.
It is merely a coincidence of your design that they happen to have no
?php ? tags in them.
You *MAY* want to separate those into another other non-web tree
directory.
Of course, I do. My WWW root contains just a couple of files (like
application.php, robots.txt, favicon.ico etc.). All other included files are
stored outside document root.
Third, I always write context-independent include files.
Example?...
Example something.inc.php:
?php
define('DIR_SOMEDIR', DIR_ROOT . '/somedir/');
function someFunc($num) {
return $num / 2;
}
class MyClass {
var $_someVar;
}
?
Get me? :-)
You *NEED* to have the policy/procedure in place to get those .inc and
.inc.php and non-entry .php files *OUT* of the web-tree, or you will get
bit, sooner or later.
For 5 minutes of time, you can avoid dozens of potential pitfalls. [shrug]
Agree completely. So what I meant is .inc.php is *not* a security measure,
but just a way to make my life more comfortable.
But seems that that is a question of taste in some way. ;-)
Best regards,
Denis Gerasimov,
Chief Developer, VEKOS Ltd.
www.vekos.ru
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] .INC files
I do not agree. Not agreeing with Rasmus on a PHP list, can be seriously damaging to your credability, unless you really know what you're talking about and have a solid argument. Having that said, I personally use .inc.php - .inc as Rasmus said, to denote include files, and .php because I couldn't be bothered configuring my editor, to syntax highlight .inc files. There are security arguments to be made for both approaches: - .php (generally)means that any code is parsed as PHP - which generally means that it can't be read as source code. - .inc (generally) means that it won't execute if it is called on its own, so even if it does contain code that shouldn't be run in isolation it won't be run. - how about .inc.php.cgi? (: /me Ducks to avoid flamebashing.) Having that said, I'm about to make the same mistake, by disagreeing(sort of) with someone else on this list, who is generally right: (By the way, it's faster to specify an absolute path to your includes than to rely on include_path. You can save PHP the hassle of searching.) I see what you're saying, but the human time, you lose in keeping track where the include files are, and modding the code, any time it is moved would counteract his. Having that said, I suppose you could define an INCLUDES_DIR constant, and then include(INCLUDES_DIR . /include.ext). Alternatively if the include_path, contained the path that your includes were in, (and only the directory where you put your includes), then php wouldn't have very far to search. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] .INC files
Rory Browne wrote: Alternatively if the include_path, contained the path that your includes were in, (and only the directory where you put your includes), then php wouldn't have very far to search. Well, no real difference between that and just making sure most of your includes are in the first path in the include_path list. It's still an extra stat() syscall to do an include_path check. And by the way, a simple: include 'foo.inc'; is an include_path include which has the extra syscall overhead. By default . is in the include_path. A quick way to track these down is to simple remove . from your include_path and by looking at the errors go through and change all those to: include './foo.inc'; -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] .INC files
Richard Lynch wrote: On Wed, June 1, 2005 1:29 am, Denis Gerasimov said: Second, which way are you differ PHP .inc files from HTML .inc files? There is no such thing as an HTML .inc file. :-) All your HTML .inc files, by definition, if they are being require'd or include'd into PHP *are* PHP .inc files. It is merely a coincidence of your design that they happen to have no ?php ? tags in them. You *MAY* want to separate those into another other non-web tree directory. Third, I always write context-independent include files. Example?... Can you guarantee that ever .inc and .inc.php and .php file in every third-party application is context-independent? Suppose your client insists tomorrow that you install [insert least favority forum software here]? You *NEED* to have the policy/procedure in place to get those .inc and .inc.php and non-entry .php files *OUT* of the web-tree, or you will get bit, sooner or later. It's simply too easy to transfer a site and lose the .htaccess files, or I've been bitten by that :-) so what I often do now is use a 'root' .htaccess to define my include_path, without it the whole site does nothing except go 'argh' at the first line of each script that can be calledthe first line always being 'include '; so now I don't forget to copy the .htaccess. ;-) also this approach makes it easier to check out a project from CVS and get it running whereever - you just need to create/edit (.htaccess don't live in my CVS for the very reason that they are specific to a given checkout/installation) a suitable .htaccess and the site goes. it's been a great week for tips and advice from the 'big guns' - thanks to you all, I really have learnt alot this week! (who are big guns? well their names are either splattered all over the source or they have been hammering this list with knowledge for years or both! yes you too Richard ;-) for a new/changed httpd.conf to not have the .inc rules or mess up PHP completely or... Why risk the possibility of your code being exposed or executed out of context when it's so *EASY* to move the include files and set include_path? I just don't understand the resistance to such a simple straight-forward elegant security measure. For 5 minutes of time, you can avoid dozens of potential pitfalls. [shrug] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] .INC files
Files ~ \.inc$ Order allow,deny Deny from all /Files Without this rule people would be able to access the .inc file directly and since PHP won't parse it, the raw source code would be visible which could be a security problem. If you prevent this simply by putting .php onto the end of your include files, you could have a different security problem in that files designed to be included could be run out of their include context and could potentially do something unexpected. I do not agree. First, this works the same way: Files ~ \.inc\..*$ Order allow,deny Deny from all /Files Second, which way are you differ PHP .inc files from HTML .inc files? Many programs can't too... IMHO it is very inconvenient. Third, I always write context-independent include files. Objections? Thank you. Best regards, Denis Gerasimov, Chief Developer, VEKOS Ltd. www.vekos.ru -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] .INC files
Denis Gerasimov wrote: Files ~ \.inc$ Order allow,deny Deny from all /Files Without this rule people would be able to access the .inc file directly and since PHP won't parse it, the raw source code would be visible which could be a security problem. If you prevent this simply by putting .php onto the end of your include files, you could have a different security problem in that files designed to be included could be run out of their include context and could potentially do something unexpected. I do not agree. First, this works the same way: Files ~ \.inc\..*$ Order allow,deny Deny from all /Files cool. cheers for that :-) Second, which way are you differ PHP .inc files from HTML .inc files? Many programs can't too... IMHO it is very inconvenient. Third, I always write context-independent include files. Objections? I'd say so. a, your disagreement is more like an amendment. b, whats an HTML .inc file anyway? c, you can use a directory structure to help identify your files. d, seems to me Rasmus was offering his way of doing 'it' (and highlighting potential security issues) rather than stating how you must do it, granted he invented(is that the correct word?) php so chances are that his idea(s) are solid even though you may disagree initially :-) me I stick a '.php' at the end of every filename (habit mostly) and keep all my includes outside of the webroot. mostly its personal preference so long as you keep safety in mind, right? :-) Thank you. Best regards, Denis Gerasimov, Chief Developer, VEKOS Ltd. www.vekos.ru -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] .INC files
On Wed, June 1, 2005 1:29 am, Denis Gerasimov said: Second, which way are you differ PHP .inc files from HTML .inc files? There is no such thing as an HTML .inc file. :-) All your HTML .inc files, by definition, if they are being require'd or include'd into PHP *are* PHP .inc files. It is merely a coincidence of your design that they happen to have no ?php ? tags in them. You *MAY* want to separate those into another other non-web tree directory. Third, I always write context-independent include files. Example?... Can you guarantee that ever .inc and .inc.php and .php file in every third-party application is context-independent? Suppose your client insists tomorrow that you install [insert least favority forum software here]? You *NEED* to have the policy/procedure in place to get those .inc and .inc.php and non-entry .php files *OUT* of the web-tree, or you will get bit, sooner or later. It's simply too easy to transfer a site and lose the .htaccess files, or for a new/changed httpd.conf to not have the .inc rules or mess up PHP completely or... Why risk the possibility of your code being exposed or executed out of context when it's so *EASY* to move the include files and set include_path? I just don't understand the resistance to such a simple straight-forward elegant security measure. For 5 minutes of time, you can avoid dozens of potential pitfalls. [shrug] -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] .INC files
Richard Lynch wrote: Why risk the possibility of your code being exposed or executed out of context when it's so *EASY* to move the include files and set include_path? I just don't understand the resistance to such a simple straight-forward elegant security measure. For 5 minutes of time, you can avoid dozens of potential pitfalls. [shrug] I completely agree with this sentiment, and it is relevant to many discussions, such as: 1. The debate between using mysql_real_escape_string() versus addslashes() or magic_quotes_gpc. 2. The debate between escaping data to be sent to the client with htmlentities() versus using str_replace() to just replace angled brackets with their HTML entity equivalents. 3. The debate between storing includes outside of document root versus using a .php file extension, instructing Apache to process .inc files as PHP, instructing PHP to deny requests for .inc files, etc. All of these discussions are a result of developers being foolish and stubborn. Just because you might not be able to think of an exploit for your particular approach doesn't mean that it's safe. Web application security is a highly specialized discipline, and unless you really know what you're doing, it's unlikely that you can properly refute practices that have been developed and refined over many years. Stick with best practices unless you are certain that they're not actually best, in which case, you should share your evidence with the community. :-) (By the way, it's faster to specify an absolute path to your includes than to rely on include_path. You can save PHP the hassle of searching.) Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] .INC files
Martin Zvarik wrote: Hi, I saw files like file.inc.php and file.inc What is the *.inc suffix good for ? Thank you for replies. Martin It doesn't matter. PHP will parse either if you call them via include() or require() I guess it just boils down to your preference. -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] .INC files
Martin Zvarik wrote: Hi, I saw files like file.inc.php and file.inc What is the *.inc suffix good for ? I don't see the point in file.inc.php, but file.inc is something I use all the time to indicate that a file is designed to be included and not accessed directly. Then I have an Apache config rule that prevents direct access to the file which looks like this: Files ~ \.inc$ Order allow,deny Deny from all /Files Without this rule people would be able to access the .inc file directly and since PHP won't parse it, the raw source code would be visible which could be a security problem. If you prevent this simply by putting .php onto the end of your include files, you could have a different security problem in that files designed to be included could be run out of their include context and could potentially do something unexpected. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] .INC files
On 5/30/05, Martin Zvarik [EMAIL PROTECTED] wrote: Hi, I saw files like file.inc.php and file.inc What is the *.inc suffix good for ? Thank you for replies. Martin I think it means that the files were meant to be included...not called by themselves. I'm just guessing though...:) Then the server could be configured to deny access to these file types. Then the only way the code can be executed is to run the file that includes it Anyone else out there know for sure?? -- PHP rocks! Knowledge is Power. Power Corrupts. Go to school, become evil Disclaimer: Any disclaimer attached to this message may be ignored. However, I must say that the ENTIRE contents of this message are subject to other's criticism, corrections, and speculations. This message is Certified Virus Free -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] .INC files
they're usually used as includes, hence the INC part. files that have certain functions/classes that another script requires and people use them to split up the code. I don't and have never created .inc files.. all my files end in .php -- but that's just me. Martin Zvarik wrote: Hi, I saw files like file.inc.php and file.inc What is the *.inc suffix good for ? Thank you for replies. Martin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
