Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Security Using .inc File

Status
Not open for further replies.

EvilAsh

Technical User
Oct 22, 2005
56
GB
Hi there.

When building php files in the past I have always added a line of code to connect to the database including the db name, username and password.

A tutorial I have just read suggests that you may declare these details as variables in a .inc file and simply have the script call this file whenever a page is loaded.

This sounds like a great idea as it would allow me to move files from test to production without having to recode everytime.

Do many of you do it this way? If so, are there any added security risks in keeping these details in an external file?

Thanks.
 
for example:

Code:
//the db.inc file
$host = "hostname";
$user = "username";
$pwd = "password";
$server = "servername";

Code:
//your normal page
require "db.inc";
mysql_connect ($host, $user, $pwd);
mysql_select_db($server);
 
That's what I had in mind.

I understand that the .inc file is returned as plain text to anyone who finds it. Can it be concealed? Am I being paranoid?!?
 
I would keep such a file on your server's filesystem somewhere outside the document root of your web site.

Your scripts can use include() across your server's filessystem and a user can't fetch the .inc file by calling it through the web browser.



Want the best answers? Ask the best questions! TANSTAAFL!
 
Cool, thanks.

If it was kept on the site root is there a risk it might be picked up by a search engine?
 
Only if you have some HTML that links to it.

But I'm not worried about search engines. I'm worried about more actively-hostile entities.



Want the best answers? Ask the best questions! TANSTAAFL!
 
You can protect .inc files by putting them outside of the documentroot, and also by having Apache deny access to them with a <files> directive.

Personally, I name them "*.inc.php", which makes them easy to identify and useless if viewed by a browser.
 
There is a decent section about security issues with using .inc files in the PHP Security Guide, the specific section is located here.

Another suggestion it offers is setting up your server so that you can access db credentials in PHP using server variables ($_SERVER)
 
Thanks for all the advice. I will consider my options.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top