From: Paul <pa...@qu...> - 2007-05-05 14:28:55
|
> > > Another (simpler?) solution could be to rename them dropping the > .php > > > extension so they will be not being served on the net. > > > > I don't agree at all. Security should not be by chance. > True > > > You are > > relying that someone has excluded files without .php from being > > served by Apache. > huh??? do you mean that by default apache will execute something.inc > in your web accessible folder? I don't think that is the case More to the point, By labelling files as .php, you can ensure that they are executed. For example, i'd rather the config file be called config.php then config.inc as one name is more likely to allow data to be leaked on a mis-configured server. I know this isn't the same as the idea you have, but I think it's a good reason to leave the extension along. The location of the files could probably have been better chosen. Paul |