Re: [WSG] Proper extension and directory for server side includes

[Dejan Kozina]

This is what made sense to me: save the included files as myfile.inc.php (so I know at first sight it is an include ), put all of them into an 'includes' directory inside the server root ( so it's easier to port the whole thing to another server ) and prevent Apache from serving anything from that directory with a .htaccess file containing: order allow, deny deny from all This effectively makes the content of the directory unreachable from any web client, while PHP doesn't care for .htaccess files. Even if PHP was to break down, the file content will not be sent to the client. It's more or less the same as putting it outside the server root, except the portability. djn b) simply use the extension of your server-side language (again, in the case of PHP, simply use .php) This way, in the worst case, somebody who tries to access an include file on its own will only see any output the include might generate. They won't see the source code, and won't see things like database connection details or any other business logic. Now, on the subject of directories: an additional safeguard to prevent people from accessing includes in their browser on their own is to have a directory for include files which is completely outside of the normal web root, meaning that it's not possible to actually get to them from the web. Only your server-side language - as it can access your server's real file system - can get to them when generating the page.

begin:vcard
fn:Dejan Kozina
n:Kozina;Dejan
org:Dejan Kozina Web Design Studio
adr:;;Dolina 346;Dolina;TS;I-34018;Italy
email;internet:[EMAIL PROTECTED]
tel;work:+39 348 7355 225
tel;fax:+39 040 228 436
tel;home:+39 040 228 436
tel;cell:+39 348 7355 225
x-mozilla-html:TRUE
url:http://www.kozina.com/
version:2.1
end:vcard