Block .inc Files from Displaying on an Apache Web Server
Block .inc Files from Displaying on Apache Web ServerBlock .inc Files from Displaying on Apache Web ServerMany PHP developers use the .inc file extension to signify a script that is included within another. This can be very handy when scanning a directory or block of code looking for specific references or calls.
One of the major benefits of using a .inc file as opposed to a PHP file is that a .inc will not execute code when called directly from the browser and instead displays the file contents as a text. This technique can help portions of your script from being run out of context by clever hackers. The downside to this functionality is that since Apache, by default treats a .inc file as a text file it will send the contents of your file to the browser. This can obviously pose a serious security risk to your application. For example, a connection.inc file containing database connection information called directly would output the connection information for your application allowing a hacker direct access to your database.
Thankfully, there is an easy solution to this problem. Apache allows you to provide special instructions in your httpd.conf file to disallow direct access to an .inc file. This prevents a user from executing it outside the context of another script and prevents the file from being sent as text. To disallow access to .inc files, add the following information to your httpd.conf:
<files "*.inc"> order allow,deny deny from all </files>
No related posts.
If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
Comments
No comments yet.
Leave a comment