tags:

views:

62

answers:

3
Q: 

PHP include file extensions?

For required/included files in PHP, is it better to use .inc extensions vs .inc.php vs .php extensions?

+7  A: 

Sometimes people use the .inc extension and then do some server configuration to keep .inc files from being accessed via a web browser. This might be good, if done absolutely correctly by a knowledgeable sysadmin, but there's a better way: Any file that's not supposed to be accessed by web users should be kept outside your document root. Once these files are off the web, so to speak, you can use whatever extension you want. .php is definitely a sensible choice for syntax highlighting, general sanity, and so on.

grossvogel  2010-08-02 19:59:25
+1 for protection against a misconfigured server.
banzaimonkey  2010-08-02 20:01:10
what about putting the .inc file in the directory above `public_html`?
ina  2010-08-02 20:28:31
No problem, if you want to do that. But using the `.inc` extension breaks the natural file association for no good reason. (There is no performance benefit, as your comment above asks.)
grossvogel  2010-08-02 20:33:53
+1  A: 
vlad b.  2010-08-02 20:22:45
I usually put functions in static classes and use an __autoload() function. That way i don't need to bother with includes and the speed loss is minor compared to the time you save by not having to remember include paths (or finding typos).
vlad b.  2010-08-04 18:35:57
A: 

My personal preference is that anything in the document root is a .php file, to indicate it's directly executable by the web server, and anything that's a library is a .inc file stored in a parallel directory, to indicate it's NOT directly executable.

My standard configuration is

/home/sites/example.com/html/ - anything here is 'safe' to expose if PHP fails and serves up raw code

/home/sites/example.com/inc/ - libraries, config files with passwords (e.g. the database connection class with DB credentials), etc.. Anything that shouldn't be exposed as there's no reason for it.

While you can certainly configure Apache to deny access to .inc files and keep them inside the webroot, then you're depending on Apache to keep you safe. If PHP can fail within Apache and expose your code, then the .inc blocks can ALSO fail and expose your code's innards as well.

Of course, if Apache's coughing blood all over the floor, there's no reason that the directory traversal protection can't fail as well and let someone do http://example.com/../inc/seekritpasswords.txt.

At some point you just have to accept that if something's stored anywhere on the web server, there's a possibility that a failure may allow access to the raw data and expose everything. How much time and effort you want to expend on protecting against that is up to you.

Marc B  2010-08-02 22:51:27

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases