Posted by Michael Fesser on 11/02/07 19:26

..oO(Tom)

>I think some of the concern is that PHP files get configured to be parsed by the
>server before being sent to the user. If you have .inc files, those probably get
>delivered as plain text with all your code viewable.

I would never rely on that for security. All it takes is a little mis-
configuration or maybe a broken server update and even .php files may be
spit out as plain text.

Some weeks ago there was a poster who wrote about a problem with his
server, which occasionally delivered his scripts as plain text, while
most of the time they were parsed correctly ... strange, but it may
happen.

Storing such files outside the document root is the way to go if the
host allows it (every good one does). It's the most secure way.

Micha

• Next in forum: Re: Include(filename.php) and security
• Prev in forum: Re: Include(filename.php) and security
• Thread view: Re: Include(filename.php) and security

[Reply to this message]