|
Posted by Jochem Maas on 06/02/05 15:16
Richard Lynch wrote:
> On Wed, June 1, 2005 1:29 am, Denis Gerasimov said:
>
>>Second, which way are you differ PHP .inc files from HTML .inc files?
>
>
> There is no such thing as an HTML .inc file. :-)
>
> All your HTML .inc files, by definition, if they are being require'd or
> include'd into PHP *are* PHP .inc files.
>
> It is merely a coincidence of your design that they happen to have no
> <?php ?> tags in them.
>
> You *MAY* want to separate those into another other non-web tree directory.
>
>
>>Third, I always write context-independent include files.
>
>
> Example?...
>
> Can you guarantee that ever .inc and .inc.php and .php file in every
> third-party application is context-independent?
>
> Suppose your client insists tomorrow that you install [insert least
> favority forum software here]?
>
> You *NEED* to have the policy/procedure in place to get those .inc and
> .inc.php and non-entry .php files *OUT* of the web-tree, or you will get
> bit, sooner or later.
>
> It's simply too easy to transfer a site and lose the .htaccess files, or
I've been bitten by that :-)
so what I often do now is use a 'root' .htaccess to define my include_path,
without it the whole site does nothing except go 'argh' at the first line of
each script that can be called....the first line always being 'include XXXX';
so now I don't forget to copy the .htaccess. ;-)
also this approach makes it easier to check out a project from CVS and get it
running whereever - you just need to create/edit (.htaccess don't live in my CVS
for the very reason that they are specific to a given checkout/installation)
a suitable .htaccess and the site goes.
it's been a great week for tips and advice from the 'big guns' - thanks
to you all, I really have learnt alot this week!
(who are big guns? well their names are either splattered
all over the source or they have been hammering this list with
knowledge for years or both! yes you too Richard ;-)
> for a new/changed httpd.conf to not have the .inc rules or mess up PHP
> completely or...
>
> Why risk the possibility of your code being exposed or executed out of
> context when it's so *EASY* to move the include files and set
> include_path?
>
> I just don't understand the resistance to such a simple straight-forward
> elegant security measure.
>
> For 5 minutes of time, you can avoid dozens of potential pitfalls. [shrug]
>
[Back to original message]
|