*.inc files - secure or not

kerryman

Joined: 2005-10-14
Posts: 130

Posted: Fri, 2005-10-21 16:03

There is a lot of PHP programmers that say "never use inc extension".
I found, you can access the source of page using a browser, because it will type
whole file (with inc extension). It will never happen with *.php files.
For those who do not believe, please - type in your browser
http://--servername---/gallery2/init.inc
I have "gallery2", but one can have different name of course.

I know, gallery is an open source - based system. But considering fact,
some people are implementing commerce solutions, and that exactly what I'm intrested in,
my concern is - is it safe enough? I suppose, one could go trough all the source and files, changing *.inc into *.php, but if you are sure it is safe, I'm ok too.

for your time and consideration - thank you. Chris

valiant

Joined: 2003-01-04
Posts: 32509

Posted: Fri, 2005-10-21 16:09

what's insecure about .inc files if those files don't include scripts, but only function or class definitions?
no code gets executed.

the only reason why one would want to not show the contents of the .inc files is that it's easier to find out what version of the application is used on this server and thus if security vulnerabilities are known for the version in question, one could hack it a little faster.

if you're concerned about users finding out what g2 version you're running, then add a deny from all for .inc line in your .htaccess / httpd.conf.

kerryman

Joined: 2005-10-14
Posts: 130

Posted: Fri, 2005-10-21 16:25

Ok, you convinced me. If you are saying, there is nothing critical in gallery's inc files, thats totally OK. My concerne was general. I didn't go trough whole code yet And probably will not
Didn't mean anything wrong. It's just I'm learning PHP from basics. Wasn't sure so I asked.
thanks for quick response valiant, I will sleep easily tonight

kind regards, Chris

mindless

Joined: 2004-01-04
Posts: 8601

Posted: Sat, 2005-10-22 03:36

valiant, some will also want to protect their custom code or local tpls.
I've made a note on the docs request list to add a FAQ/howto about this, and wrote some of the content.

kerryman Joined: 2005-10-14 Posts: 130	Posted: Fri, 2005-10-21 16:03
	There is a lot of PHP programmers that say "never use inc extension". I found, you can access the source of page using a browser, because it will type whole file (with inc extension). It will never happen with .php files. For those who do not believe, please - type in your browser http://--servername---/gallery2/init.inc I have "gallery2", but one can have different name of course. I know, gallery is an open source - based system. But considering fact, some people are implementing commerce solutions, and that exactly what I'm intrested in, my concern is - is it safe enough? I suppose, one could go trough all the source and files, changing .inc into *.php, but if you are sure it is safe, I'm ok too. for your time and consideration - thank you. Chris
	XUser login Username: * Password: * Create new account Request new password
valiant Joined: 2003-01-04 Posts: 32509	Posted: Fri, 2005-10-21 16:09
	what's insecure about .inc files if those files don't include scripts, but only function or class definitions? no code gets executed. the only reason why one would want to not show the contents of the .inc files is that it's easier to find out what version of the application is used on this server and thus if security vulnerabilities are known for the version in question, one could hack it a little faster. if you're concerned about users finding out what g2 version you're running, then add a deny from all for .inc line in your .htaccess / httpd.conf.

kerryman Joined: 2005-10-14 Posts: 130	Posted: Fri, 2005-10-21 16:25
	Ok, you convinced me. If you are saying, there is nothing critical in gallery's inc files, thats totally OK. My concerne was general. I didn't go trough whole code yet And probably will not Didn't mean anything wrong. It's just I'm learning PHP from basics. Wasn't sure so I asked. thanks for quick response valiant, I will sleep easily tonight kind regards, Chris

mindless Joined: 2004-01-04 Posts: 8601	Posted: Sat, 2005-10-22 03:36
	valiant, some will also want to protect their custom code or local tpls. I've made a note on the docs request list to add a FAQ/howto about this, and wrote some of the content.

*.inc files - secure or not

XUser login