This explanation from Justin is worth saving. I also like to call all of my included modules *.inc, and I prefer to store them outside of document root.
However, if you want to keep all of your files together, the .htaccess file shown below is the best way to restrict direct access to modules. Some people make the mistake of simply making *.inc files considered PHP by Apache (claiming it is better to execute them than to have their source code displayed), but this gives attackers the opportunity to execute your modules out of context - a very dangerous approach. One extra note worth adding is that you should add this configuration to your httpd.conf if you are the Web server administrator. This will keep you from having to remember the .htaccess file everywhere. Justin's method is best for when you do not have this option. Chris Justin French wrote: >I place name all my included files *.inc... I place them all in a folder >/inc/ and place a .htaccess file in that directory to restrict the files >being served of HTTP: > ><Files ~ "\.inc$"> > Order Allow,Deny > Deny from all ></Files> > >Another option would be to place them in a folder ABOVE your web root, so >that Apache can't serve them -- if you have that option. > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
