NYCPHP Meetup

NYPHP.org

[nycphp-talk] FUNDAMENTALS #1: Site Structure

Jim Hendricks jim at bizcomputinginc.com
Thu Sep 4 13:52:07 EDT 2003


I would agree to setting Apache to not serve .inc files except that I want
to maintain a consistent standard from one application to another.  I don't
have access to config Apache on many applications because the app runs on a
shared box.  Then there's when running under <gasp> IIS.  If I standardize
on the .inc extension protected via the web server then I need to have
knowledge of how to do it in all the various environments I may work in.
Standardizing on putting incudes in a subdir of the app root & using the
.php extension to protect those include files from direct download allows me
to work in most any php environment, no need to have access to Apache, no
need to have access to ftp outside the webroot, no need for knowledge of the
web server either.

This also allows me to work the same in PHP as I do in ASP.  Same standard,
different language.

So I would also say that I fall into the 2nd category of I know the risks
but consider the convenience a worthwhile compromise.

Knock on wood, but in 8 years of web app development ( mostly in ASP and
JSP ) I have yet to have an application hacked.  That may be mostly luck,
but I'ld like to think its partly due to the standards I've adopted.

Jim

----- Original Message ----- 
From: "Adam Fields" <fields at surgam.net>
To: <shiflett at php.net>; "NYPHP Talk" <talk at lists.nyphp.org>
Sent: Thursday, September 04, 2003 11:23 AM
Subject: Re: [nycphp-talk] FUNDAMENTALS #1: Site Structure


> On Thu, Sep 04, 2003 at 08:09:29AM -0700, Chris Shiflett wrote:
> > I guess the answers could break down into three categories:
> >
> > 1. I place my includes under document root for convenience, and I'm not
aware
> > of any problems that could cause.
> > 2. I understand the risk in doing so, but I still place my includes
under
> > document root.
> > 3. I place my includes outside of document root. It is a simple task,
and it is
> > at least more secure than doing otherwise.
>
> I typically name my includes with .inc extensions and set Apache to
> not serve those files directly. This is both relatively convenient and
> relatively secure.
>
> -- 
> - Adam
>
> -----
> Adam Fields, Managing Partner, fields at surgam.net
> Surgam, Inc. is a technology consulting firm with strong background in
> delivering scalable and robust enterprise web and IT applications.
> http://www.adamfields.com
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
>
>




More information about the talk mailing list