Posted by Rasmus Lerdorf on 10/21/59 11:17

Martin Zvarik wrote:
> Hi,
> I saw files like "file.inc.php" and "file.inc"
>
> What is the *.inc suffix good for ?

I don't see the point in file.inc.php, but file.inc is something I use
all the time to indicate that a file is designed to be included and not
accessed directly. Then I have an Apache config rule that prevents
direct access to the file which looks like this:

<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>

Without this rule people would be able to access the .inc file directly
and since PHP won't parse it, the raw source code would be visible which
could be a security problem. If you prevent this simply by putting .php
onto the end of your include files, you could have a different security
problem in that files designed to be included could be run out of their
include context and could potentially do something unexpected.

-Rasmus

[Back to original message]