what does including *.inc.php do?? secure???

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
danselstudios
Forum Newbie
Posts: 24
Joined: Sat Jun 03, 2006 10:47 am
Location: Corona, CA

what does including *.inc.php do?? secure???

Post by danselstudios »

i've seen various tutorials that name their files with the extension 'inc' as follows:

config.inc.php

now, since the information in this file is the mysql database username and password (in order to connect) info, then i'm guessing its for security, or anti-theft.

why is this? what's the difference between config.inc.php and config.php???

also, what is the best way to secure my database information?
is there a way to open my php file and getting my hostname, username and pass??

thanks ahead of time.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

First of all, the security measure is to make sure you name all of your PHP files with a ".php" extension (or whatever extension(s) are configured to parse PHP). The reason is that you do not want people to be able to view your source code by browsing your site.

Naming files with a ".inc.php" ending is just a convention that some programmers use. It is an older style of naming that was usually used for files that were library or support files -- rather than page scripts. I personally don't find the use of naming conventions like that too useful and prefer to put files in appropriatly named directories instead.
(#10850)
User avatar
AKA Panama Jack
Forum Regular
Posts: 878
Joined: Mon Nov 14, 2005 4:21 pm

Post by AKA Panama Jack »

Well, most people use that naming convention to designate that the file is an include file that is only included by another program and not used as a stand alone program.

It makes it so much easier to look at the filename to know that it is an include file irrespective of the directory it may be located. Some people just have an include directory and stuff everything in there that is used as an include file. Even then sticking .inc before the .php is useful for when you move files around during testing or modification.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

arborint wrote:First of all, the security measure is to make sure you name all of your PHP files with a ".php" extension (or whatever extension(s) are configured to parse PHP). The reason is that you do not want people to be able to view your source code by browsing your site.

Naming files with a ".inc.php" ending is just a convention that some programmers use. It is an older style of naming that was usually used for files that were library or support files -- rather than page scripts. I personally don't find the use of naming conventions like that too useful and prefer to put files in appropriatly named directories instead.
While I agree the use of directories is solid...the use of naming files is also useful...

For instance, my editor (UltraEdit) allows multiple files to be opened at one time...

So I could have (lang.mainview.php, script.mainview.php, core.mainview.php, html.mainview.php, etc) all inside a single editor instance...and without confusion I can quickly tab the file I need to edit.

If I need the language file for that module I'm working on...I know it's inside lang.mainview.php...

If I named all the files mainview.php (and stored them in directories only) I would have to sequentially or randomly select the tabs until I found the language resource file in question...or mouse over each until the tooltip indicated which directory (lang, html, etc) the file resided in...

I can say from experience...that my method works muchy faster then waiting for the tooltip...that sometimes never shows :P at least on my windows systems :)

Cheers :)
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

I probably expressed it badly, but my point was that using the ".php" for scripts is a security measure to not expose source code, because the web server calls the PHP module for files with that extension. Whereas naming like ".inc.php" are, testamonials aside, a matter of programmer taste. Not saying they are good or bad, just personal preference.

I also realized that in reading the responses that I probably don't use those types of naming because I use a Front Controller where everything is an include file. Not sure about the editor comment, but I don't use UltraEdit so I haven't noticed that as an issue.
(#10850)
danselstudios
Forum Newbie
Posts: 24
Joined: Sat Jun 03, 2006 10:47 am
Location: Corona, CA

Post by danselstudios »

well all your information is just perfect. i can now just get customed to my own preference, but the important thing here is i understand everything.

thanks to all!

PHP rules!
Post Reply