|
Posted by "Richard Lynch" on 06/02/05 05:55
On Wed, June 1, 2005 1:29 am, Denis Gerasimov said:
> Second, which way are you differ PHP .inc files from HTML .inc files?
There is no such thing as an HTML .inc file. :-)
All your HTML .inc files, by definition, if they are being require'd or
include'd into PHP *are* PHP .inc files.
It is merely a coincidence of your design that they happen to have no
<?php ?> tags in them.
You *MAY* want to separate those into another other non-web tree directory.
> Third, I always write context-independent include files.
Example?...
Can you guarantee that ever .inc and .inc.php and .php file in every
third-party application is context-independent?
Suppose your client insists tomorrow that you install [insert least
favority forum software here]?
You *NEED* to have the policy/procedure in place to get those .inc and
..inc.php and non-entry .php files *OUT* of the web-tree, or you will get
bit, sooner or later.
It's simply too easy to transfer a site and lose the .htaccess files, or
for a new/changed httpd.conf to not have the .inc rules or mess up PHP
completely or...
Why risk the possibility of your code being exposed or executed out of
context when it's so *EASY* to move the include files and set
include_path?
I just don't understand the resistance to such a simple straight-forward
elegant security measure.
For 5 minutes of time, you can avoid dozens of potential pitfalls. [shrug]
--
Like Music?
http://l-i-e.com/artists.htm
[Back to original message]
|