Shulou(Shulou.com)06/03 Report--

This article mainly explains the "what are the risks and matters needing attention in the use of php inc files". The explanation in the article is simple and clear, and it is easy to learn and understand. Please follow the editor's way of thinking to study and learn "what are the risks and precautions in the use of php inc files".

One of the main issues that need to be concerned about in the use of the database is the exposure of access rights, that is, the user name and password. For convenience in programming, it is usually saved in a db.inc file, such as:

The copy code is as follows:

Usernames and passwords are sensitive data and require special attention. Their being written in the source code poses a risk, but this is an inevitable problem. If you don't, your database won't be able to set a username and password to protect it.

If you have read the default version of http.conf (Apache's configuration file), you will find that the default file type is text/plain (plain text). In this way, there is a risk if a file such as db.inc is saved in the root of the site. All resources located in the root directory of the site have a corresponding URL, and because Apache does not define the type of processing for files with the .inc suffix, when accessing such files, they are returned as plain text (the default type), so that access rights are exposed to the customer's browser.

To further illustrate this risk, consider a server with / www as the root of the Web site. If db.inc is stored in / www/inc, it has its own URL http://example.org/inc/db.inc( assuming example.org is the host domain name. By visiting the URL, you can see the source file that the db.inc displays in text. No matter which subdirectory you save the file in / www, you can't avoid the risk of access exposure.

The best solution to this problem is to save it in an include directory other than the root of the site. You don't need to put them in a specific location in the file system for the purpose of including them, all you have to do is make sure that the Web server has read access to them. Therefore, there is no necessary risk to put them in the root of the site, and any effort to reduce the risk is futile as long as the included files are still in the root of the site. In fact, all you have to do is put the resources that must be accessed through URL in the root of the site. After all, this is a public directory.

The previous topic is also useful for SQLite databases. It is very convenient to save the database in the current directory because you only need to call the file name without specifying a path. However, keeping the database in the root of the site represents an unnecessary risk. If you do not use security measures to prevent direct access, your database will be dangerous.

If it is not possible to place all included files outside the root of the site due to external factors, you can configure Apache to reject requests for .inc resources.

The copy code is as follows:

Order allow,deny

Deny from all

If you write this just because you want to give an example, it is understandable that you have learned some means after all, but this example is a bit blunt. In fact, all you have to do is rename the file to db.inc.php. It's like building a bigger house outside without mending a hole in the house.

Later you can see another way to prevent database access from being exposed, which is very effective in a shared server environment where there is a risk of exposure even though the files are outside the root of the site.

Thank you for your reading, the above is the content of "what are the risks and matters needing attention in the use of php inc files?" after the study of this article, I believe you have a deeper understanding of the risks and matters needing attention in the use of php inc files. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.