Remember that most files are public

When you have files in your public HTML directory, people can get at them - it is that simple. There was a silly craze a while ago to use the file extension ".inc" for include files - scripts that only served to be included into other scripts. While this might make sense, and allows you to see how a script works simply by looking at its name, it is actually a major security hole.

For example, if you save your database connection info in a file, then include() that file into every script you write, that file would probably be called something like Now, what happens if someone were to type directly into his or her web browser? Your web server would load the ".inc" file, and send it as plain text because it does not end in a PHP-handled file extension, which means that someone accessing the .inc file directly would see your source code.

A much better solution, if you particularly want to mark your files as include files, is to use the extension .inc.php - this way, they will be parsed by PHP before being sent to people directly, and therefore will not reveal your source code.


Want to learn PHP 7?

Hacking with PHP has been fully updated for PHP 7, and is now available as a downloadable PDF. Get over 1200 pages of hands-on PHP learning today!

If this was helpful, please take a moment to tell others about Hacking with PHP by tweeting about it!

Next chapter: Hide your identity >>

Previous chapter: Put key files outside your document root

Jump to:


Home: Table of Contents

Copyright ©2015 Paul Hudson. Follow me: @twostraws.