> -----Original Message----- > From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] > Sent: Thursday, November 11, 2010 11:46 AM > To: Jo?o C?ndido de Souza Neto > Cc: php-general@lists.php.net > Subject: Re: [PHP] Re: use of ini vs include file for configuration > > On Thu, 2010-11-11 at 17:16 -0200, Jo?o C?ndido de Souza Neto wrote: > > > Agreed. > > > > -- > > Joo Cndido de Souza Neto > > > > "Tamara Temple" <tamouse.li...@gmail.com> escreveu na mensagem > > news:977f087c-bb11-4444-b851-21616ae9e...@gmail.com... > > > I'm curious what the lists' opinions are regarding the > use of an .ini > > > file versus an include configuration file in PHP code are? > > > > > > I can see uses for either (or both). > > > > > > To me, it seems that an .ini file would be ideal in the > case where you > > > want to allow a simpler interface for people installing > your app to > > > configure things that need configuring, and an included PHP code > > > configuration file for things you don't necessarily want > the average > > > installer to change. > > > > > > What do you think? > > > > > > Tamara > > > > > > > > > > > > There are potential security concerns involved too. An .ini > file will be > output as plain text by default by the web server if > requested by a user > agent unless it is protected somehow (by a .htaccess file for example) > or it is outside of document root for the server. A PHP file on the > other hand will be parsed, so won't output it's variables. > > It's all too easy to forget to protect an ini file from this sort of > thing, whereas if you've written a website in PHP, it becomes fairly > evident if your web server isn't configured for PHP without testing > specifically for it!
Why would you put your configuration file in a ../htdocs folder? That's just poor design. Just as your classes and include files are OUTSIDE your document root, so must your config file be. Plus it's trivial to secure a .ini with a .htaccess or other apache method. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
