I've heard to stay away from '.inc' and '.txt' for security reasons as well as to hide code.
What would be the safest file extension to use?
What's the safest extesion to use for included files?
Moderator: General Moderators
-
fractalvibes
- Forum Contributor
- Posts: 335
- Joined: Thu Sep 26, 2002 6:14 pm
- Location: Waco, Texas
Sigh... not this again...
The security reason = hiding the code. So its a single argument against using anything other than .php for code files.
However there are lots of other ways of hiding the code which I feel are more appropriate.
Possibilities:
Using your webserver's configuration to block access to *.inc (using .htaccess or http.conf)
Placing the include files outside of the web-tree
Yes, depending on your host provider neither may be an option. And it that case you're stuck with either .php or .inc.php to hide the code. However, in general one of the two above possiblities works which allows you to do whatever you want to name your extensions.
I like using .inc for configuration, class, and library includes. It helps to provide, at a glance, the role of the file. In my applications .php's are always web-accessible, viewable files.
The security reason = hiding the code. So its a single argument against using anything other than .php for code files.
However there are lots of other ways of hiding the code which I feel are more appropriate.
Possibilities:
Using your webserver's configuration to block access to *.inc (using .htaccess or http.conf)
Placing the include files outside of the web-tree
Yes, depending on your host provider neither may be an option. And it that case you're stuck with either .php or .inc.php to hide the code. However, in general one of the two above possiblities works which allows you to do whatever you want to name your extensions.
I like using .inc for configuration, class, and library includes. It helps to provide, at a glance, the role of the file. In my applications .php's are always web-accessible, viewable files.
<Files ~ "*.inc">
Order allow,deny
Deny from all
</Files>
To tell if it worked, try opening on of you .inc files in the browser and you should get a access denied/forbidden type page.
Of course if you develop on your machine, make sure you either also Deny the autosave files or you delete them. (Such as the foo.inc~ files that emacs creates)
Order allow,deny
Deny from all
</Files>
To tell if it worked, try opening on of you .inc files in the browser and you should get a access denied/forbidden type page.
Of course if you develop on your machine, make sure you either also Deny the autosave files or you delete them. (Such as the foo.inc~ files that emacs creates)