1 August 2006
PHP Server Security
I was reading Rasmus’s famous OOP/Procedural [MVC]* Article and came across this tidbit.
My standard production server Apache config always has:
<Files *.inc>
deny from all
</Files>Naming them .php instead and letting people browse them directly can be a much bigger problem since they are now being executed out of context. So you need to either put your include files outside your docroot tree, or you need to block direct access to them with an Apache rule as above.
Personally, I use .php for everything, and since each file except for DB credentials specifiers is a class, even if it is executed out of context, it won’t do anything. But I feel like Rasmus’s name them INC, block INC in Apache strategy is probably more effective. I’m not sure my strategy will change, because my scripts are PHP, the fact they’re included is irrelevant. And I’ve mostly circumvented the execution issue by wrapping everything in classes and only having a small handful of files that are designed to be user called and set up the specifics. But Rasmus can speak with some authority on this issue. If you are using the INC file strategy, you might as well set up the deny-from-all. But give it some thought no matter which way you swing. Thats the best way to learn.
I agree with you; however, there are some cases where the user may not be able or even knowledgeable about changing the Apache strategy.
I say for the noobs and the seasoned developers, just give your files a .php extension. You need not worry about anything else at that point.