include files
Martín Marqués
martin at bugs.unl.edu.ar
Wed Nov 23 19:34:34 CET 2005
El Mié 23 Nov 2005 15:16, Thomas -Balu- Walter escribió:
> Hello all,
>
> I have two short suggestions regarding include-files:
>
> IMHO the include files (in program/include/ e.g.) should have an
> ".inc.php" ending to avoid calling them directly in the browser. Since
> those are not config files it might not be a big security problem, but
> it might still be possible to identify the roundcube version or other
> "sensitive" data by having a look at them.
Well, what I normally do is name all the include files with .inc ending and
deny access to does files (for example in the .htaccess file in the root
directory.
> Another idea for those files is to disable access completely:
>
> The files that are allowed to be called in the browser should have a
> simple define at the beginning:
>
> <?php define('ROUNDCUBE', true); ?>
>
> The include files, etc. can now check for this define and handle it
> somehow - e.g.:
>
> <?php if (!defined('APPLICATION')) exit('You are not allowed to call this
> file directly.'); ?>
I don't get your idea. Why should this files ever be called directly? Deny
them in the htaccess file and keep coding. :-)
> Another solution could be a redirect to the index page using header()?
>
> Balu
> PS: I know, coding-style is a very picky topic and of course personal
> preference, but is there any chance to make you switch to the PEAR
> coding standards regarding indents, brackets, ...? :-)
> -> http://pear.php.net/manual/en/standards.php
I second this!
--
15:30:53 up 14 days, 4:27, 1 user, load average: 1.26, 3.45, 2.75
---------------------------------------------------------
Lic. Martín Marqués | SELECT 'mmarques' ||
Centro de Telemática | '@' || 'unl.edu.ar';
Universidad Nacional | DBA, Programador,
del Litoral | Administrador
---------------------------------------------------------
More information about the Dev
mailing list