Where Are Your PHP Includes?

24 Mar 2005

Do not store your PHP includes in document root. This is a terrible practice. Here is just one reason why:

http://www.google.com/search?q=inurl%3Adb.inc

Don't recommend naming PHP includes with a .php extension. Don't recommend including code in PHP includes that prevents direct requests. Don't recommend the following for denying requests for .inc resources:

  1.     Order allow,deny
  2.     Deny from all

The problem is not that these techniques are bad, but rather than they are neither optimal nor sufficient. If you employ these techniques, do so only to adhere to the principle of defense in depth. If you're only going to implement one safeguard, choose the best one.

Do not store your PHP includes in document root. There are no exceptions. There are no excuses.