Short one – the summer 2006 copy of .net has an interesting article on how to secure PHP scripts used in e-commerce (and generally to be honest).
While overall the article is very well written there is one glaring thing I think is way off the mark. Given that this is not a beginners topic and that on the third page the Author (Paul Hudson) talks about editing the httpd.conf file to restrict the X-Powered-By header PHP adds, it is strange that the advice about PHP includes is simply to rename them all from .inc to .php.
First oddity, it has been quite some time since the standard for php includes was filename.inc but this is minor. Now Mr Hudson’s concern is that people can access the .inc directly and view it as plain text (if they know the name of your .inc file), which is obviously a problem if all your DB logon data is in one.
Now the solution is massive overkill. If you had a site with (say) ten pages calling the same 10 *.inc files it would be a bit of a pain to change the files to .php and the include() to the new name. Now what if your site was ten times that size? Drama to say the least – even with good old grep.
Surely the simplest, most common sense solution is to (like mentioned on p84) alter the way the server handles the file? In apache this works – AddType x-mapp-php5 .inc as does AddType application/x-httpd-php .inc.
One change and everything is resolved.
Is this easier or am I mad?