use .php as your extension for all included files
I just ran a search for PHP code which included files call db.inc
.
It was surprising to find so many (100 results).
The problem with this, is that I can now use the knowledge that those projects include files called “db.inc” to read said files, and use the database details I would guess is contained therein for my own nefarious plans.
A quick and simple way to make your configuration repositories unreadable to the casual viewer is to use the .php
extension for those files (ie; db.php
instead of db.inc
).
A different way is to still use the .inc
extension, but add a .htaccess
to the root of your web directory, containing this:
<FilesMatch "\.inc$"> order allow,deny deny from all </FilesMatch>
That would ban casual browsers from reading anything with the extension “.inc”.