|
|
Posted by Michael Fesser on 10/11/07 22:23
..oO(David Basford)
>I learned php as I went along (I'm a C programmer in my job which made it
>easdy though this is a non-financial hobby enterprise)
>I'd followed what I read and used .INC files to hold important info like
>usernames and passwords for the different access levels that different pages
>might use.
>
>Isn't that rubbish?
>shouldn't these pages be .PHP files you require_once ?
Not necessarily.
>if a site user looks for http://www.mysite.com/inky.inc he will sometimes
>get to see the contents including all the php stuff (I've not mastered all
>my permissions yet - and I know I need to work on that) but if he/she tries
>http://www.mysite.com/inky.php the content would be whatever non-php was in
>that file.
Such files don't belong to the document root. They should be stored
outside of it, so that they are not accessible by a URL at all.
If they are stored inside the document root, then you have to rely on a
properly configured web server to protect them. Even a '.php' extension
is no guarantee that the file will always be parsed. A misconfiguration
or a broken server update might allow the file to be delivered as plain
text. To prevent that right from the beginning, store them outside the
document root. And then you can name them any way you want.
>Is my assumption correct?
>I need to make a generic file which is referenced to.
>It will (presently) contain information about other files (presently .inc
>files) that contain password and user information
_Never_ make such files available via a URL.
>If I didn't explain well, let me know
>
>Any ideas - is it Ok to change to 'require_once' ? It certainly seems safer
>than 'include'
RTFM again. 'include/once' and 'require/once' do the same, the only
difference is the error handling if a file can't be found.
Micha
Navigation:
[Reply to this message]
|