Home > Archive > PHP Language > October 2007 > Re: 'require_once' or 'include' security question
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Re: 'require_once' or 'include' security question
|
|
|
| On 11 Oct, 23:23, Michael Fesser <neti...@gmx.de> wrote:
> .oO(David Basford)
>
>
>
> Not necessarily.
>
8<
>
> Such files don't belong to the document root. They should be stored
> outside of it, so that they are not accessible by a URL at all.
>
8<
> _Never_ make such files available via a URL.
8<
>
> RTFM again. 'include/once' and 'require/once' do the same, the only
> difference is the error handling if a file can't be found.
>
Mostly agreed, althuogh cheap and nasty hosting doesn't always allow
an include directory outside the document root. Possible solutions
include:
naming files so that they are not served up - typically anything
beginning '.ht' - but this is a bit of hack
having only function/class definitions in include files and naming
them as .php (where I've set up style guides, I always use .inc.php
for include files, regardless of location)
C.
| |
| Michael Fesser 2007-10-12, 7:59 am |
| ..oO(C.)
>Mostly agreed, althuogh cheap and nasty hosting doesn't always allow
>an include directory outside the document root.
True, but often those hosts also have some more restrictions or missing
features, so IMHO it's time to look for a better host. And since hosting
is quite cheap these days in general, that's no excuse anymore. YMMV.
Micha
|
|
|
|
|