.inc files treated as PHP files
Posted: Wed Jul 18, 2007 11:33 pm
Hello firends
It is said about include files:
How can it be harmful by "Executing code out of context
can be very dangerous"?
May someone give me example about this?
Thanks
It is said about include files:
But in page 34 form this:www.shiflett.org/php-security.pdfIf you name it .inc, then anyone can go into your directory and download it -- ie. domain.com/mysql.inc will download, therefore if you have any sensitive data in it, they'll find it. Most people rename it to mysql.inc.php, so that they still have the "inc" identifier, but it's parsed as PHP (so if you define a few variables, it'll be a blank file if they access it directly).
It is not a good idea to have your modules processed by the PHP engine. This
includes renaming your modules with a .php extension as well as using
AddType to have .inc files treated as PHP files. Executing code out of context
can be very dangerous, because it's unexpected and can lead to unknown
results. However, if your modules consist of only variable assignments (as an
example), this particular risk is mitigated.
How can it be harmful by "Executing code out of context
can be very dangerous"?
May someone give me example about this?
Thanks