> > > Another (simpler?) solution could be to
rename them dropping the
> .php
> > > extension so they will be not being served on
the net.
> >
> > I don't agree at all. Security should not be by
chance.
> True
>
> > You are
> > relying that someone has excluded files without
.php from being
> > served by Apache.
> huh??? do you mean that by default apache will execute
something.inc
> in your web accessible folder? I don't think that is
the case
More to the point,
By labelling files as .php, you can ensure that they are
executed. For
example, i'd rather the config file be called config.php
then config.inc as
one name is more likely to allow data to be leaked on a
mis-configured
server. I know this isn't the same as the idea you have, but
I think it's a
good reason to leave the extension along. The location of
the files could
probably have been better chosen.
Paul
------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
mantisbt-dev mailing list
mantisbt-dev lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mantisbt-d
ev
|