Re: [PHP] Newbie Q: Any difference what the .ext is on include() files???
Hello,
On Monday, September 30, 2002 4:32 PM
Subject: Re: [PHP] Newbie Q: Any difference what the .ext is on include()
files???
[ Rene Brehmer ] wrote:
> I appreciate your advice, but it would not really apply to my structure
> ... because of the amount of files I use, I've got seperate include
> folders for each section ... otherwise I'd get all weird in the head
> trying to remember which files go where.
Of course, it's a good idea (and a good practice) to separate folders
for each section of your site ("/images/", "/blahblah/", etc.). But,
putting
all include files in *one* folder (like "/inc/" or "/includes/" as
suggested).
Why, do you have thousands of files?
> Basically it's the site in my sig that I'm converting to PHP, with a few
> minor changes, made (easily) possible by the PHP. My first concern is to
> make the site without a frameset, and without requiring any scripting
> clientside. Once launched, I'll be looking into improving the site as much
> as possible...taking as much advantage of PHP as possible ... but again, I
> don't know the full extent of my options until I've gotten my webhotel...
>
> How'd anyone be able to pull out my PHP source anyway?
You mean the "includes"? There are many ways if you don't follow the
conventions (or suggestions) already given.
> Since it's an http server, it'll only respond to http requests, and since
> php is processed upon request,
Why, did you name all your files with a .php extension? Or, are you sure
that all your *.ext are being processed as php files?
> the enitre source will be altered to just
> html ... don't get that ... atleast the way I do it, the path to the
included files
> is hidden, 'cause it's all variable controlled ... it just plugs together
the
> variable with some path parts, directly in the include(...).
?
> So for anyone to pull the includes, they'll need to know the exact path to
> them, in order to retrieve them, right?
Right. Perhaps.
But you only need time to find out... unless you name your folders
(or included files) something like:
/thisIsMyVeryhardT0GuessFolderHehehe/
thisIsMyVeryhardT0GuessFolderHehehe.withVeryHardt0GuessExt
maybe it takes more time ;)
- E
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Newbie Q: Any difference what the .ext is on include() files???
[snip] > How'd anyone be able to pull out my PHP source anyway? Since it's an http > server, it'll only respond to http requests, and since php is processed > upon request, the enitre source will be altered to just html ... don't get > that ... Yeah, that's true if you give it a .php extension. But, you have to remember that anyone can now run the php page and have it executed out of context. It may or may not be an issue, depending on your code. > atleast the way I do it, the path to the included files is > hidden, 'cause it's all variable controlled ... it just plugs together the > variable with some path parts, directly in the include(...). > > So for anyone to pull the includes, they'll need to know the exact path to > them, in order to retrieve them, right? Security through obscurity. Give someone a reason and they'll figure out the path. I think the best solution for you right now is to go ahead and give them a .php extension, but be aware of what will happen when that script is run by itself, with register globals on or off. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Newbie Q: Any difference what the .ext is on include() files???
I appreciate your advice, but it would not really apply to my structure ... because of the amount of files I use, I've got seperate include folders for each section ... otherwise I'd get all weird in the head trying to remember which files go where. Basically it's the site in my sig that I'm converting to PHP, with a few minor changes, made (easily) possible by the PHP. My first concern is to make the site without a frameset, and without requiring any scripting clientside. Once launched, I'll be looking into improving the site as much as possible...taking as much advantage of PHP as possible ... but again, I don't know the full extent of my options until I've gotten my webhotel... How'd anyone be able to pull out my PHP source anyway? Since it's an http server, it'll only respond to http requests, and since php is processed upon request, the enitre source will be altered to just html ... don't get that ... atleast the way I do it, the path to the included files is hidden, 'cause it's all variable controlled ... it just plugs together the variable with some path parts, directly in the include(...). So for anyone to pull the includes, they'll need to know the exact path to them, in order to retrieve them, right? Rene On Sat, 28 Sep 2002 18:52:47 -0400, wrote about "RE: [PHP] Newbie Q: Any difference what the .ext is on include() files???" something that looked like this: >The only thing to worry about is that if someone pulls up your include >file, they're likely to see it as plain text and all of the code within >it will be visible. If there is no PHP code within the file, or the PHP >code is irrelevant (no passwords, logic, etc), then it doesn't matter. > >I normally name my include files as file.inc.php. But (there is always a >but) you have to remember that this file can be run out of context now, >and all of the PHP code within it will be evaluated. It may or may not >matter, but it's something to stay aware of. > >A third option is to place them in an .htaccess protected directory or >add a rule that .inc or .psrc files can't be called up through the >browser (deny all). Depending on your web server, this may or may not be >possible. > >The safest and best method to using includes is to store them outside of >the webroot, so they can't be called by the browser at all. An easy way >to do this is to define to variables, the html path, and the include >path. > >$_CONF['html'] = '/home/groups/user/htdocs/'; >$_CONF['include'] = '/home/groups/user/includes/'; > >And then base all of your include(), fopen(), header(), href, etc, off >of those two variables. Makes moving your sites very easy, too, just >change the values of those variables... -- Rene Brehmer System developer in the making... This message was written on 100% recycled spam. My website: http://www.geocities.com/cerberus_hotdog Babes and computer & internet references... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Newbie Q: Any difference what the .ext is on include() files???
The only thing to worry about is that if someone pulls up your include file, they're likely to see it as plain text and all of the code within it will be visible. If there is no PHP code within the file, or the PHP code is irrelevant (no passwords, logic, etc), then it doesn't matter. I normally name my include files as file.inc.php. But (there is always a but) you have to remember that this file can be run out of context now, and all of the PHP code within it will be evaluated. It may or may not matter, but it's something to stay aware of. A third option is to place them in an .htaccess protected directory or add a rule that .inc or .psrc files can't be called up through the browser (deny all). Depending on your web server, this may or may not be possible. The safest and best method to using includes is to store them outside of the webroot, so they can't be called by the browser at all. An easy way to do this is to define to variables, the html path, and the include path. $_CONF['html'] = '/home/groups/user/htdocs/'; $_CONF['include'] = '/home/groups/user/includes/'; And then base all of your include(), fopen(), header(), href, etc, off of those two variables. Makes moving your sites very easy, too, just change the values of those variables... ---John Holmes... > -Original Message- > From: -<[ Rene Brehmer ]>- [mailto:[EMAIL PROTECTED]] > Sent: Saturday, September 28, 2002 4:57 PM > To: [EMAIL PROTECTED] > Subject: [PHP] Newbie Q: Any difference what the .ext is on include() > files??? > > Hi y'all > > I've only been working with PHP for the past 2-3 weeks, so there's alot of > things I haven't quite grasped 100% yet ... > > Basically what I'm doing is converting my old framed, js-driven, HTML > website, with 137 physical pages (individual HTML files) and some > dynamically created ones, into a full-fledged PHP site ... > > As the whole idea in this is to get rid of the frameset, and reuse as much > code as entirely possible, I'm using 5-6 PHP "master" files (I'm only > through converting little more than half the site by now), which then mix > and match variables to include the right files for bodies and menus and > such... > > But here's the real Q: Does it matter at all what extension I use for the > include() source files??? > I mean, they're the old HTML files that I strip down to the most basic, > with a few HTML tags to control the formatting, so my though pattern is > that .html is wrong, because it's not real HTML (in that it lacks > everything that makes them HTML), and it's not really .txt, because it > contains formatting characters ... so in lack of better, I decided to name > them .psrc (for PHP source) ... > > Right now I'm only running the site on test-basis on my own PHP on Apache > on WinXP, where it works well, nomatter what ext I use (provided I > remember to update the include() command to reflect it of course. But it's > going to be uploaded to a webhotel I haven't bought yet ... so I just want > to know: Do I risk any functionality in using my own extensions? Or does > PHP as a general not care about the include() extensions??? > > I do have some .php includes, because they run PHP code, but most of my > includes are just text that needs to put in the right part of a table... > > TIA > > Rene > -- > Rene Brehmer > System developer in the making... > > This message was written on 100% recycled spam. > > My website: http://www.geocities.com/cerberus_hotdog > Babes and computer & internet references... > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
