use .php as your extension for all included files
I just ran a search for PHP code which included files call
It was surprising to find so many (100 results).
The problem with this, is that I can now use the knowledge that those projects include files called “db.inc” to read said files, and use the database details I would guess is contained therein for my own nefarious plans.
A quick and simple way to make your configuration repositories unreadable to the casual viewer is to use the
.php extension for those files (ie;
db.php instead of
A different way is to still use the
.inc extension, but add a
.htaccess to the root of your web directory, containing this:
<FilesMatch "\.inc$"> order allow,deny deny from all </FilesMatch>
That would ban casual browsers from reading anything with the extension “.inc”.
A very useful tip. I often find that it is useful, for my own housekeeping purposes, to keep all of my included files within a directory called “inc” or “includes”, as well as to name them like “db.inc.php” so that I know they are included files, but other folk can’t get at their contents.