--- Daniel Page <[EMAIL PROTECTED]> wrote: > If someone wants to call your .inc file like > http://www.my.site/lib.inc they will see the code, > as it is a text file. OK, we all know that.
No, we don't, because that is not entirely correct. There are many cases where your Web server will not serve that content raw. You can make it treat *.inc files as PHP (which is just as bad of a suggestion as your suggestion of renaming them *.php), you can deny requests to *.inc files, or you can place your *.inc files outside of document root, just to name a few. > As the .inc file is in reality a renamed php script, > containing variables, functions, etc, if you call it > .php instead of .inc, it will be parsed by PHP Actually, it will be executed, not just parsed. Executing modules out of context like this can be dangerous, but placing everything within functions as you mention does mitigate this risk. However, when possible (when is it not?), it is much safer to simply place your *.inc files outside of document root. PHP includes files based on their path on the filesystem, not by URL, so this works out well. This should be in an FAQ somewhere... Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
