Hi,
> Why rely on some access restriction when you don't have to? You
> include code
> using a filesystem path. There is no need for it to reside under
> document root.
> Yes, you can make it so that certain things are not served
> directly by the Web
> server, but why take the extra risk? You gain nothing. What if you make a
> mistake? What if you install a new version of Apache and that
> file accidently
> gets served raw?
Right. Also don't forget, there have been exploits in the past, and there
will be in the future that will allow a hacker access to your docroot (not
necessarily the entire system) through the web browser, and they can
download all those files. Why leave the database connection information in
there for him?
-Dan Joseph
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
