What's the safest extesion to use for included files?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
RacerX
Forum Newbie
Posts: 21
Joined: Tue Jul 01, 2003 9:21 am
Location: NorthEast USA

What's the safest extesion to use for included files?

Post by RacerX »

I've heard to stay away from '.inc' and '.txt' for security reasons as well as to hide code.

What would be the safest file extension to use?
fractalvibes
Forum Contributor
Posts: 335
Joined: Thu Sep 26, 2002 6:14 pm
Location: Waco, Texas

Post by fractalvibes »

For PHP, I'd guess *.php would be the best to use.

Phil
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Sigh... not this again...

The security reason = hiding the code. So its a single argument against using anything other than .php for code files.

However there are lots of other ways of hiding the code which I feel are more appropriate.

Possibilities:
Using your webserver's configuration to block access to *.inc (using .htaccess or http.conf)

Placing the include files outside of the web-tree

Yes, depending on your host provider neither may be an option. And it that case you're stuck with either .php or .inc.php to hide the code. However, in general one of the two above possiblities works which allows you to do whatever you want to name your extensions.

I like using .inc for configuration, class, and library includes. It helps to provide, at a glance, the role of the file. In my applications .php's are always web-accessible, viewable files.
User avatar
RacerX
Forum Newbie
Posts: 21
Joined: Tue Jul 01, 2003 9:21 am
Location: NorthEast USA

Post by RacerX »

I *think* I can alter my .htacess file.

Two questions then:
1. What is the syntax for the .htaccess?
2. How to I know it worked/files are safe?

Thanks!
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

<Files ~ "*.inc">
Order allow,deny
Deny from all
</Files>
To tell if it worked, try opening on of you .inc files in the browser and you should get a access denied/forbidden type page.


Of course if you develop on your machine, make sure you either also Deny the autosave files or you delete them. (Such as the foo.inc~ files that emacs creates)
Post Reply