NYCPHP Meetup

[Jim Hendricks]

Yes, but still relies on apache specifics which means when running in IIS I
would have to handle securing .inc differently.  includes with .php in it's
own directory needs no special handling by different web servers and if the
subdir is named inc or include the purpose of the .php file is still known.

Jim

----- Original Message ----- 
From: "Russ Demarest" <rsd at electronink.com>
To: "NYPHP Talk" <talk at lists.nyphp.org>
Sent: Thursday, September 04, 2003 2:01 PM
Subject: Re: [nycphp-talk] FUNDAMENTALS #1: Site Structure


> .htaccess can be set to not serve .inc files. Doesn't require getting
> into apache config.
>
> Russ
>
> On Thursday, September 4, 2003, at 01:52  PM, Jim Hendricks wrote:
>
> > I would agree to setting Apache to not serve .inc files except that I
> > want
> > to maintain a consistent standard from one application to another.  I
> > don't
> > have access to config Apache on many applications because the app runs
> > on a
> > shared box.  Then there's when running under <gasp> IIS.  If I
> > standardize
> > on the .inc extension protected via the web server then I need to have
> > knowledge of how to do it in all the various environments I may work
> > in.
> > Standardizing on putting incudes in a subdir of the app root & using
> > the
> > .php extension to protect those include files from direct download
> > allows me
> > to work in most any php environment, no need to have access to Apache,
> > no
> > need to have access to ftp outside the webroot, no need for knowledge
> > of the
> > web server either.
> >
> > This also allows me to work the same in PHP as I do in ASP.  Same
> > standard,
> > different language.
> >
> > So I would also say that I fall into the 2nd category of I know the
> > risks
> > but consider the convenience a worthwhile compromise.
> >
> > Knock on wood, but in 8 years of web app development ( mostly in ASP
> > and
> > JSP ) I have yet to have an application hacked.  That may be mostly
> > luck,
> > but I'ld like to think its partly due to the standards I've adopted.
> >
> > Jim
> >
> > ----- Original Message -----
> > From: "Adam Fields" <fields at surgam.net>
> > To: <shiflett at php.net>; "NYPHP Talk" <talk at lists.nyphp.org>
> > Sent: Thursday, September 04, 2003 11:23 AM
> > Subject: Re: [nycphp-talk] FUNDAMENTALS #1: Site Structure
> >
> >
> >> On Thu, Sep 04, 2003 at 08:09:29AM -0700, Chris Shiflett wrote:
> >>> I guess the answers could break down into three categories:
> >>>
> >>> 1. I place my includes under document root for convenience, and I'm
> >>> not
> > aware
> >>> of any problems that could cause.
> >>> 2. I understand the risk in doing so, but I still place my includes
> > under
> >>> document root.
> >>> 3. I place my includes outside of document root. It is a simple task,
> > and it is
> >>> at least more secure than doing otherwise.
> >>
> >> I typically name my includes with .inc extensions and set Apache to
> >> not serve those files directly. This is both relatively convenient and
> >> relatively secure.
> >>
> >> -- 
> >> - Adam
> >>
> >> -----
> >> Adam Fields, Managing Partner, fields at surgam.net
> >> Surgam, Inc. is a technology consulting firm with strong background in
> >> delivering scalable and robust enterprise web and IT applications.
> >> http://www.adamfields.com
> >> _______________________________________________
> >> talk mailing list
> >> talk at lists.nyphp.org
> >> http://lists.nyphp.org/mailman/listinfo/talk
> >>
> >>
> >
> > _______________________________________________
> > talk mailing list
> > talk at lists.nyphp.org
> > http://lists.nyphp.org/mailman/listinfo/talk
> >
>
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
>
>