PHWinfo - Afficher un message - Parsing a php include (which also contains php code)

22/06/2007, 02h05

..oO(J.O. Aho)

>It's true, the file extension don't matter when you include files in a php
>file, but by default a *.inc file won't be parsed if it's directly accessed
>
>example: http://www.example.net/myincludefile.inc
>
>This can be a security issue if you store database login/passwords in a *.inc
>file, which you should avoid to use any other extention than *.php, which will
>be parsed on a php enabled server.

Of course these files should be stored outside the document root.

Even a .php extension is no guarantee that no visitors will ever be able
to view that file. A server update, a misconfiguration, whatever --
there are some situations where even a .php file could be delivered
unparsed.

Micha

22/06/2007, 02h05	#8
Michael Fesser Messages: n/a Hébergeur:	Re: Parsing a php include (which also contains php code) - or "Reparsing" the php file ..oO(J.O. Aho) >It's true, the file extension don't matter when you include files in a php >file, but by default a .inc file won't be parsed if it's directly accessed > >example: http://www.example.net/myincludefile.inc > >This can be a security issue if you store database login/passwords in a .inc >file, which you should avoid to use any other extention than *.php, which will >be parsed on a php enabled server. Of course these files should be stored outside the document root. Even a .php extension is no guarantee that no visitors will ever be able to view that file. A server update, a misconfiguration, whatever -- there are some situations where even a .php file could be delivered unparsed. Micha