--- Mike Morton <[EMAIL PROTECTED]> wrote: > That is precisely my point - if the user has shell access of any > type you are compromised - but if they do not get server access - > how could they possibly get the dotabase.inc.php? If that is > called directly then it will be parsed, and as long as you are not > outputting anything in this page, they will not see the user/pass > that you have in there...
That's the perspective that is the cause of many security vulnerabilities. Why rely on some access restriction when you don't have to? You include code using a filesystem path. There is no need for it to reside under document root. Yes, you can make it so that certain things are not served directly by the Web server, but why take the extra risk? You gain nothing. What if you make a mistake? What if you install a new version of Apache and that file accidently gets served raw? Chris ===== Become a better Web developer with the HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
