[snip] > How'd anyone be able to pull out my PHP source anyway? Since it's an http > server, it'll only respond to http requests, and since php is processed > upon request, the enitre source will be altered to just html ... don't get > that ...
Yeah, that's true if you give it a .php extension. But, you have to remember that anyone can now run the php page and have it executed out of context. It may or may not be an issue, depending on your code. > atleast the way I do it, the path to the included files is > hidden, 'cause it's all variable controlled ... it just plugs together the > variable with some path parts, directly in the include(...). > > So for anyone to pull the includes, they'll need to know the exact path to > them, in order to retrieve them, right? Security through obscurity. Give someone a reason and they'll figure out the path. I think the best solution for you right now is to go ahead and give them a .php extension, but be aware of what will happen when that script is run by itself, with register globals on or off. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
