NYCPHP Meetup

[Russ Demarest]

.htaccess can be set to not serve .inc files. Doesn't require getting 
into apache config.

Russ

On Thursday, September 4, 2003, at 01:52  PM, Jim Hendricks wrote:

> I would agree to setting Apache to not serve .inc files except that I 
> want
> to maintain a consistent standard from one application to another.  I 
> don't
> have access to config Apache on many applications because the app runs 
> on a
> shared box.  Then there's when running under <gasp> IIS.  If I 
> standardize
> on the .inc extension protected via the web server then I need to have
> knowledge of how to do it in all the various environments I may work 
> in.
> Standardizing on putting incudes in a subdir of the app root & using 
> the
> .php extension to protect those include files from direct download 
> allows me
> to work in most any php environment, no need to have access to Apache, 
> no
> need to have access to ftp outside the webroot, no need for knowledge 
> of the
> web server either.
>
> This also allows me to work the same in PHP as I do in ASP.  Same 
> standard,
> different language.
>
> So I would also say that I fall into the 2nd category of I know the 
> risks
> but consider the convenience a worthwhile compromise.
>
> Knock on wood, but in 8 years of web app development ( mostly in ASP 
> and
> JSP ) I have yet to have an application hacked.  That may be mostly 
> luck,
> but I'ld like to think its partly due to the standards I've adopted.
>
> Jim
>
> ----- Original Message -----
> From: "Adam Fields" <fields at surgam.net>
> To: <shiflett at php.net>; "NYPHP Talk" <talk at lists.nyphp.org>
> Sent: Thursday, September 04, 2003 11:23 AM
> Subject: Re: [nycphp-talk] FUNDAMENTALS #1: Site Structure
>
>
>> On Thu, Sep 04, 2003 at 08:09:29AM -0700, Chris Shiflett wrote:
>>> I guess the answers could break down into three categories:
>>>
>>> 1. I place my includes under document root for convenience, and I'm 
>>> not
> aware
>>> of any problems that could cause.
>>> 2. I understand the risk in doing so, but I still place my includes
> under
>>> document root.
>>> 3. I place my includes outside of document root. It is a simple task,
> and it is
>>> at least more secure than doing otherwise.
>>
>> I typically name my includes with .inc extensions and set Apache to
>> not serve those files directly. This is both relatively convenient and
>> relatively secure.
>>
>> -- 
>> - Adam
>>
>> -----
>> Adam Fields, Managing Partner, fields at surgam.net
>> Surgam, Inc. is a technology consulting firm with strong background in
>> delivering scalable and robust enterprise web and IT applications.
>> http://www.adamfields.com
>> _______________________________________________
>> talk mailing list
>> talk at lists.nyphp.org
>> http://lists.nyphp.org/mailman/listinfo/talk
>>
>>
>
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
>