use .php as your extension for all included files

I just ran a search for PHP code which included files call db.inc.

It was surprising to find so many (100 results).

The problem with this, is that I can now use the knowledge that those projects include files called “db.inc” to read said files, and use the database details I would guess is contained therein for my own nefarious plans.

A quick and simple way to make your configuration repositories unreadable to the casual viewer is to use the .php extension for those files (ie; db.php instead of db.inc).

A different way is to still use the .inc extension, but add a .htaccess to the root of your web directory, containing this:

<FilesMatch "\.inc$">
  order allow,deny
  deny from all
</FilesMatch>

That would ban casual browsers from reading anything with the extension “.inc”.

1 Comments.

  1. A very useful tip. I often find that it is useful, for my own housekeeping purposes, to keep all of my included files within a directory called “inc” or “includes”, as well as to name them like “db.inc.php” so that I know they are included files, but other folk can’t get at their contents.

%d bloggers like this: