You already have your solution in your original question, then. If you don't want to use any of these other techniques, then name your files with a .php extension (I use .inc.php) and enclose everything in classes or function. If you're just aware that your included files can be run out of context, and program accordingly, your scripts will be just fine.
An include file full of functions or classes will not "run" anything when called, it'll simply load it into memory. ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ > -----Original Message----- > From: Jacob Copsey [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, January 15, 2003 3:53 PM > To: [EMAIL PROTECTED] > Subject: Re: [PHP] Security in included PHP files > > I agree these are good solutions and I have considered them. However, I am > looking for an all-inclusive solution that is code only within PHP that > allows the admin of the application to copy the files to their server and > not need to do any server specific configuration. That is why I don't name > the included files with .inc. It would require configuration of the server > to prevent downloading of those files and I don't want to require that > step > of people who choose to run the app on their server. > > Thanks for the input! > > Jacob > > "Chris Shiflett" <[EMAIL PROTECTED]> wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > --- Jacob Copsey <[EMAIL PROTECTED]> wrote: > > > My style of PHP is to name all included files with a .php > > > extension and of course this raises the problem of people > > > accessing these script files directly. > > > > I always name included files *.inc myself, but that's a > > personal preference combined with a strong desire to adhere > > to strict naming conventions. > > > > It is very easy to make sure people cannot access your > > include files directly. There are two common ways to do > > this, and I will mention my preference first. > > > > 1. Do not store your include files under document root. > > This is a very simple and straightforward approach that > > negates all of the types of questions you were asking. > > > > 2. Deny access to any file with an extension of inc. Of > > course, you would have to conform to a naming standard a > > bit more for this to work. A quick Google search revealed > > this example for Apache: > > > > <Files ~ "\.inc$"> > > Order Allow, Deny > > Deny from all > > </Files> > > > > Chris > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
