Remember that most files are public
When you have files in your public HTML directory, people can get at them - it is that simple. There was a silly craze a while ago to use the file extension ".inc" for include files - scripts that only served to be included into other scripts. While this might make sense, and allows you to see how a script works simply by looking at its name, it is actually a major security hole.
For example, if you save your database connection info in a file, then include() that file into every script you write, that file would probably be called something like dbconnect.inc. Now, what happens if someone were to type www.example.com/dbconnect.inc directly into his or her web browser? Your web server would load the ".inc" file, and send it as plain text because it does not end in a PHP-handled file extension, which means that someone accessing the .inc file directly would see your source code.
A much better solution, if you particularly want to mark your files as include files, is to use the extension .inc.php - this way, they will be parsed by PHP before being sent to people directly, and therefore will not reveal your source code.
Next chapter: Hide your identity >>
Previous chapter: Put key files outside your document root
Jump to:
Home: Table of Contents
Copyright 2010 Future Publishing Limited (company
registered number 2008885), a company registered
in England and Wales whose registered office is at
Beauford Court, 30 Monmouth Street, Bath, BA1 2BW, UK