Page 1 of 1
What's the safest extesion to use for included files?
Posted: Tue Aug 05, 2003 8:48 am
by RacerX
I've heard to stay away from '.inc' and '.txt' for security reasons as well as to hide code.
What would be the safest file extension to use?
Posted: Tue Aug 05, 2003 9:11 am
by fractalvibes
For PHP, I'd guess *.php would be the best to use.
Phil
Posted: Tue Aug 05, 2003 9:44 am
by nielsene
Sigh... not this again...
The security reason = hiding the code. So its a single argument against using anything other than .php for code files.
However there are lots of other ways of hiding the code which I feel are more appropriate.
Possibilities:
Using your webserver's configuration to block access to *.inc (using .htaccess or http.conf)
Placing the include files outside of the web-tree
Yes, depending on your host provider neither may be an option. And it that case you're stuck with either .php or .inc.php to hide the code. However, in general one of the two above possiblities works which allows you to do whatever you want to name your extensions.
I like using .inc for configuration, class, and library includes. It helps to provide, at a glance, the role of the file. In my applications .php's are always web-accessible, viewable files.
Posted: Tue Aug 05, 2003 9:50 am
by RacerX
I *think* I can alter my .htacess file.
Two questions then:
1. What is the syntax for the .htaccess?
2. How to I know it worked/files are safe?
Thanks!
Posted: Tue Aug 05, 2003 11:33 am
by nielsene
<Files ~ "*.inc">
Order allow,deny
Deny from all
</Files>
To tell if it worked, try opening on of you .inc files in the browser and you should get a access denied/forbidden type page.
Of course if you develop on your machine, make sure you either also Deny the autosave files or you delete them. (Such as the foo.inc~ files that emacs creates)