El Mié 23 Nov 2005 15:16, Thomas -Balu- Walter escribió:
Hello all,
I have two short suggestions regarding include-files:
IMHO the include files (in program/include/ e.g.) should have an ".inc.php" ending to avoid calling them directly in the browser. Since those are not config files it might not be a big security problem, but it might still be possible to identify the roundcube version or other "sensitive" data by having a look at them.
Well, what I normally do is name all the include files with .inc ending and deny access to does files (for example in the .htaccess file in the root directory.
Another idea for those files is to disable access completely:
The files that are allowed to be called in the browser should have a simple define at the beginning:
<?php define('ROUNDCUBE', true); ?>
The include files, etc. can now check for this define and handle it somehow - e.g.:
<?php if (!defined('APPLICATION')) exit('You are not allowed to call this file directly.'); ?>
I don't get your idea. Why should this files ever be called directly? Deny them in the htaccess file and keep coding. :-)
Another solution could be a redirect to the index page using header()?
Balu
PS: I know, coding-style is a very picky topic and of course personal preference, but is there any chance to make you switch to the PEAR coding standards regarding indents, brackets, ...? :-) -> http://pear.php.net/manual/en/standards.php
I second this!