Mark Hensler — Thu, 31 Jul 2003 23:52:07 +0000

.inc files are not magical. Files being included into a PHP file can have any extension, or no extension at all. What causes the contents of the included file to be parsed as PHP, are the PHP tags (

<?php
 
?>

) which surround your code in the included file.

Yes. If you have include files with a .php extension within the webtree, you will see no php source code when viewing them directly from a browser.

m3rajk — Thu, 31 Jul 2003 19:27:33 +0000

suzanne: the only browser i can get to open it are mozille, galeon and konqueror .... but only when i'm caling them FROM that computer using the internal address

mark: so theoretically, if i have it as a .php i can have it IN the webtree and unless i'm at the computer pulling it up in an editor i wont see the code? and will it act like a .inc file where the functions are responded to as if i wrote them in that file? or is the behavior different?

Mark Hensler — Thu, 31 Jul 2003 17:52:59 +0000

Being outside of DOCUMENT_ROOT simply means that you cannot point your browser to that file directly. Which is not a problem for files with a .php extensions on a properly configured web server.

Think of all those those scripts on HotScripts.com with their config files within DOCUMENT_ROOT. Heck, even vBulletin. How many of them have you copy files outside of DOCUMENT_ROOT?

Like I said earlier, I do this as well. But I do this for convenience, not security. For one of my current projects, several sub-domains require the same library files, includes, and config files. Instead of keeping X copies (one for each sub-domain), I have one copy outside DOCUMENT_ROOT and use .htaccess to include the directory in PHP's include_path.

Suzanne — Thu, 31 Jul 2003 17:26:51 +0000

Hypothetically, yes. Test!

m3rajk — Thu, 31 Jul 2003 16:09:42 +0000

so since this is out of the web directory the include file wont be seen.. right?

Suzanne — Thu, 31 Jul 2003 04:34:57 +0000

There is a suggestion from Kevin Yank (and probably many other more knowledgeable than I PHP programmers) to put .inc files in non-public directories so they cannot be viewed.

Specifically he says:

Quote:
...you should put any security-sensitive code into an include file, and place that file into a directory that's not part of your Web server's directory structure. If you add that directory to your PHP include_path setting (in php.ini), you can refer to the files directly with the PHP include function, but have them tucked safely somewhere where your Web server can't display them as Web pages.

Mark Hensler — Thu, 31 Jul 2003 04:22:33 +0000

I'm speaking from experience with Apache, though I would assume most other web servers would be configured the same.

.php extensions are associated with the "application/x-httpd-php" mime type.
.inc extensions are usually not associated with any mime type, so fall under the default mime type of "text/plain".

"application/x-httpd-php" mime types are first parsed by the PHP interpreter, and only the output from the interpreter is sent to the requesting host.

"text/plain" mime types are not passed through any interpreters, and so, are sent to the requesting host in their entirety.

m3rajk — Thu, 31 Jul 2003 03:19:31 +0000

i'm also root on this particular server, so while it's here i dont have to worry about future access

however, if you could explain to me why a .php file would never be shown to a user yet a .inc file could be, i'd love to hear it, since the very reason i have for doing that is to make it so people cannot see the contents of the file with the db pws as well as two otoher things i haven't finished masking all of it yet

btw: you were right. needed to be 755 instead of 744

Mark Hensler — Thu, 31 Jul 2003 01:57:50 +0000

First off, to you not want to chown/chgrp any files to the apache user. You will have a heck of a time editing (or even removing) them down the line.

As for moving files outside DOCUMENT_ROOT... I do this too, but I wouldn't say it's more secure. Having file extensions of .inc is what causes the security problem while within DOCUMENT_ROOT. Had you used .php file extensions, the contents would never be shown to the user.

Directory permissions are a tad different than file permissions. If I remember correctly, +RX is necessary to list the contents of a directory. +R may suffice for accessing a known file within the directory, but I'm not certain. You may want to try setting you're /home/joshua to 755.

m3rajk — Wed, 30 Jul 2003 22:31:19 +0000

the file has one include. all the files for the site have one include file. the include directory is outside of the web tree for security. the main include file is actually a list of include files, including the one with all the database passwords in it, which will be changed from 444 to 400 once i have everything running and know i wont need to change it. i also plan on chowning and chgrping it to apache (user the webserver runs as).
i figure at that point if anyone can crack into the db by using that file i have much bigger problems than stupidity in my code. and if i'm allowed to do that when i find a real host for it, it helps security there... well helps me know the site's more secure.

right now all the files in the include directory are 644 so that i may modify them, and apache may read them

the include direcotry itself is 775
my home directory is probably the issue. if that's not the case i'll let you know

nope. i set my home directory to 744 and /home is actually 775

so....
/home/joshua/includes/fyd.incs.inc
has permissions
/775/744/775/644
the files it includes are also 644

overview for those unfamilliar with chmod and numerical permissions:
4=read
5=read/execute
6=read/write
7=read/write/execute

which means that the everyone can read the directory and files (for now)