It all comes down to how your server is set up. In the majority of cases,I have been told that it is improper to use .inc as an extension for server side includes. Ex: menu.inc.
What is the proper extension to use for server side includes and into which directory should they be placed?
servers are not set up to do anything special when encountering files with
a .inc extension. Although this does not impede execution when included
(e.g. in PHP, include('blah.inc') will still work), there is a danger that if anybody
finds out the location of the includes, they can just open them in their browser
and see them as clean text (as, by default, the web server will send any files
with an extension it doesn't know how to handle as text/plain). Now, if you have
include files that also contain information like database connection details with
usernames and passwords, this would mean that anybody who (accidentally or not)
finds your includes, they can simply read this type of sensitive information.
I've always advised my web authors to do one of two things:
a) either set up your server to also parse .inc files (e.g., if you're using PHP, set
your server so it handles .inc files the same way it would .php ones); or
b) simply use the extension of your server-side language (again, in the case of PHP,
simply use .php)
This way, in the worst case, somebody who tries to access an include file on its
own will only see any output the include might generate. They won't see the source
code, and won't see things like database connection details or any other business
logic.
Now, on the subject of directories: an additional safeguard to prevent people from
accessing includes in their browser on their own is to have a directory for include
files which is completely outside of the normal web root, meaning that it's not possible
to actually get to them from the web. Only your server-side language - as it can
access your server's real file system - can get to them when generating the page.
Hope this makes some kind of sense. If you *are* using PHP, have an additional look
at http://www.php.net/manual/en/security.php
Patrick H. Lauke _____________________________________________________ re·dux (adj.): brought back; returned. used postpositively [latin : re-, re- + dux, leader; see duke.] www.splintered.co.uk | www.photographia.co.uk http://redux.deviantart.com
****************************************************** The discussion list for http://webstandardsgroup.org/
See http://webstandardsgroup.org/mail/guidelines.cfm for some hints on posting to the list & getting help ******************************************************
