Hudzilla.org - the homepage of Paul Hudson
Contents > Security concerns > Programming secure PHP Wish List | Report Bug | About Me ]

17.1.4     Remember that most files are public

This is NOT the latest copy of this book; click here for the latest version.

When you have files in your public HTML directory, people can get at them - it is that simple. There was a silly craze a while ago to use the file extension ".inc" for include files - scripts that only served to be included into other scripts. While this might make sense, and allows you to see how a script works simply by looking at its name, it is actually a major security hole.

For example, if you save your database connection info in a file, then include() that file into every script you write, that file would probably be called something like dbconnect.inc. Now, what happens if someone were to type www.example.com/dbconnect.inc directly into his or her web browser? Your web server would load the ".inc" file, and send it as plain text because it does not end in a PHP-handled file extension, which means that someone accessing the .inc file directly would see your source code.

A much better solution, if you particularly want to mark your files as include files, is to use the extension .inc.php - this way, they will be parsed by PHP before being sent to people directly, and therefore will not reveal your source code.





<< 17.1.3 Put key files outside your document root   17.1.5 Hide your identity >>
Table of Contents
 Want to see this stuff in print? PHP in a Nutshell takes the core topics covered here, adds in thousands of edits from the editorial team and myself, and combines them to make an unbeatable reference for PHP programmers at all levels.



My latest book has hundreds more tips on how to use PHP, Apache, and MySQL, plus Perl, Python, shell scripts, performance tuning, and more!
Top-right shadow
 
Bottom-left shadow Bottom shadow

Comments from other readers
A PHP User - 05 Dec 2008
Yes. you can do that with a .htaccess file. it is quite easy and lets you handle any file as php. Be careful with this though because there are some security problems relating to file uploads. I know that if you have a .jpg or .gif or whatever processed by php and you let the user upload it, if you aren't careful they can inject php code into the exif comments or if you process txt files they could just write php and save it as txt then upload it.

A small issue to keep in mind also when you do this is that if you use a php/html editor (like dreamweaver) it will most likely not color the code anymore because it interprets it as plain text. There are ways around that but its way too difficult to explain in here. The best thing to do in my opinion is to either a) have an includes directory specified with .htaccess or php.ini or apache config. b) have an include directory somewhere in your site directory structure and just reference it from your script. or c) add a prefix to the filename like: inc_myfile.php.
You can combine any of these methods if you'd like to keep your site tidy.

A PHP User - 05 Dec 2008
Yep, they could!

Paul - 05 Dec 2008
About .inc serving plain text, if someone really wanted to couldn't they simply add .inc to handle PHP?

AddType application/x-httpd-php .inc



Add comment
Please note that by posting a comment here you are committing it to the public domain. This is important so that others can make use of your code themselves, and also so that I can incorporate helpful notes directly into the main text. Comments are limited to 2000 characters in length.

If you are reporting an error in the content, please tell me directly.

Your name/email address:
Your comment:
 
Now, in order to verify that you're a real person, please answer this simple question: what is two plus zero?
The answer is:
(please write in
numbers, eg 19)


Top-right shadow
 
Bottom-left shadow Bottom shadow

This website and its content is copyright © Paul Hudson 2005, all rights reserved.