|
|
Posted by Peter Brodersen on 06/03/05 12:47
On Thu, 02 Jun 2005 00:44:12 -0400, in php.general shiflett@php.net
(Chris Shiflett) wrote:
>3. The debate between storing includes outside of document root versus
>using a .php file extension, instructing Apache to process .inc files as
>PHP, instructing PHP to deny requests for .inc files, etc.
I agree regarding code on your own server/project.
I do believe that the situation is another when you are manager of
some project where your php code is being distributed to several
different systems beyond your control (think phpmyadmin, phpnuke, etc.
- maybe not the best examples regarding security record, though :-)
In that case, one could create some requirements regarding the
installation of the php application that some customers at web hosting
companies might not be able to follow (e.g. create a .htaccess denying
..inc-files, create folders outsite of webscope), or one could make a
trade-off between ease of installation and highed security. One way of
achieving this could be the sole use of .php-extensions (and code
constructed in a way that direct access would cause no harm).
I believe that there is reason to differ in these two cases for
practical reasons. In the latter case a lot of assumptions could cause
damage. Poorly implemented high security could be worse than moderate,
application based security.
--
- Peter Brodersen
Navigation:
[Reply to this message]
|