I just ran a search for PHP code which included files call
It was surprising to find so many (100 results).
The problem with this, is that I can now use the knowledge that those projects include files called “db.inc” to read said files, and use the database details I would guess is contained therein for my own nefarious plans.
A quick and simple way to make your configuration repositories unreadable to the casual viewer is to use the
.php extension for those files (ie;
db.php instead of
A different way is to still use the
.inc extension, but add a
.htaccess to the root of your web directory, containing this:
<FilesMatch "\.inc$"> order allow,deny deny from all </FilesMatch>
That would ban casual browsers from reading anything with the extension “.inc”.