When you have files in your public HTML directory, people can get at them - it is that simple. There was a silly craze a while ago to use the file extension ".inc" for include files - scripts that only served to be included into other scripts. While this might make sense, and allows you to see how a script works simply by looking at its name, it is actually a major security hole.
For example, if you save your database connection info in a file, then include() that file into every script you write, that file would probably be called something like dbconnect.inc. Now, what happens if someone were to type www.example.com/dbconnect.inc directly into his or her web browser? Your web server would load the ".inc" file, and send it as plain text because it does not end in a PHP-handled file extension, which means that someone accessing the .inc file directly would see your source code.
A much better solution, if you particularly want to mark your files as include files, is to use the extension .inc.php - this way, they will be parsed by PHP before being sent to people directly, and therefore will not reveal your source code.
If this was helpful, please take a moment to tell others about Hacking with PHP by tweeting about it!
Next chapter: Hide your identity >>
Previous chapter: Put key files outside your document root
Home: Table of Contents
Copyright ©2015 Paul Hudson. Follow me: @twostraws.