Reply to Re: 'require_once' or 'include' security question

Your name:

Reply:


Posted by C. on 10/12/07 10:22

On 11 Oct, 23:23, Michael Fesser <neti...@gmx.de> wrote:
> .oO(David Basford)
>
> >I learned php as I went along (I'm a C programmer in my job which made it
> >easdy though this is a non-financial hobby enterprise)
> >I'd followed what I read and used .INC files to hold important info like
> >usernames and passwords for the different access levels that different pages
> >might use.
>
> >Isn't that rubbish?
> >shouldn't these pages be .PHP files you require_once ?
>
> Not necessarily.
>
8<
>
> Such files don't belong to the document root. They should be stored
> outside of it, so that they are not accessible by a URL at all.
>
8<
> _Never_ make such files available via a URL.
8<
>
> RTFM again. 'include/once' and 'require/once' do the same, the only
> difference is the error handling if a file can't be found.
>

Mostly agreed, althuogh cheap and nasty hosting doesn't always allow
an include directory outside the document root. Possible solutions
include:

naming files so that they are not served up - typically anything
beginning '.ht' - but this is a bit of hack
having only function/class definitions in include files and naming
them as .php (where I've set up style guides, I always use .inc.php
for include files, regardless of location)

C.

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация