Sign in to follow this  
hungryhippo5000

[web] PHP .inc files

Recommended Posts

How safe is it to use the .inc file instead of .php when you try to include an external php file? I think this file type is a little unsafe because if somebody somehow figures out the name of the file they can explicitly type it in and view all the content since the file is in plain text. What do you guys think?

Share this post


Link to post
Share on other sites
There's no reason to call them ".inc", most people use .php for PHP include files as well as the main ones.

However, I normally also put include files into their own directory (or directories) which is forbidden by Apache's config - this is achieved with "Deny From All" in .htaccess

Mark

Share this post


Link to post
Share on other sites
Typically PHP programmers will name the include file something like one of the following:

- MyClass.inc.php
- MyClass.class.php

Another option is to leave it as MyClass.inc, and edit the .htaccess file to deny remote read access to the file...but that could be more difficult/risky.

Share this post


Link to post
Share on other sites
Quote:
Original post by hungryhippo5000
How safe is it to use the .inc file instead of .php when you try to include an external php file? I think this file type is a little unsafe because if somebody somehow figures out the name of the file they can explicitly type it in and view all the content since the file is in plain text. What do you guys think?
Personally, I use ".ncl" because ".inc" is already commonly used for other types of includes. Also, I use a ".htaccess" file to prevent people from reading any file with the extension of .ncl
Quote:
Original post by Mattman
[...]Another option is to leave it as MyClass.inc, and edit the .htaccess file to deny remote read access to the file...but that could be more difficult/risky.
You don't need to allow any access at all, because local access is done through the OS's API and not through apache, so the permissions in ".htaccess" are ignored for local file operations.

Share this post


Link to post
Share on other sites
Its usually a fair idea to use a .inc.php extension so the file is not readable online - of source you should also ensure that when the file is parsed (as PHP) it contains no code that can be executed outside the main application. Generally this is the case for many includes, but not always.

.htaccess "deny from all" should be your front level defence... Just bear in mind htaccess is not available off an Apache webserver (e.g. on IIS - heavens forbid!)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this