PHP包含文件扩展名?
[英]PHP include file extensions?
问题描述
对于PHP中的必需/包含文件,使用.inc扩展名与.inc.php vs .php扩展名更好吗?
3 个解决方案
解决方案1
15 已采纳 2010-08-02 19:59:25
Sometimes people use the .inc extension and then do some server configuration to keep .inc files from being accessed via a web browser. 
有时人们使用.inc扩展名,然后进行一些服务器配置,以防止.inc文件通过Web浏览器访问。 This might be good, if done absolutely correctly by a knowledgeable sysadmin, but there's a better way: Any file that's not supposed to be accessed by web users should be kept outside your document root. 这可能是好的,如果由知识渊博的系统管理员完全正确完成,但有一种更好的方法:任何不应被Web用户访问的文件都应保存在文档根目录之外。 Once these files are off the web, so to speak, you can use whatever extension you want. 一旦这些文件离开网络,可以说,你可以使用你想要的任何扩展名。 .php is definitely a sensible choice for syntax highlighting, general sanity, and so on. .php绝对是语法高亮,一般理智等的明智选择。
解决方案2
1 2010-08-02 20:22:45
Apache can sometimes (due to bugs or severe crashes) serve .php files as text (happend to me a few times on shared hosting).... I think you can use any extension you want as long as you don't store your files in a public folder. Apache有时(由于错误或严重崩溃)将.php文件作为文本提供(在共享主机上发生了几次)....我认为只要你不存储你就可以使用你想要的任何扩展名公用文件夹中的文件。
Let's say your site is in /home/user/public_html/ 假设您的网站位于/ home / user / public_html /
create another folder /home/user/lib_php/ 创建另一个文件夹/ home / user / lib_php /
have the files: 有文件:
(1) .../lib_php/one.class.php with (1)... / lib_php / one.class.php with
class one {
//...
}
(2) .../lib_php/two.function.php with (2)... / lib_php / two.function.php with
function two() {
//...
}
and you have the main index.php in /public_html 并且/ public_html中有主要的index.php
<?php
include_once('../lib_php/one.class.php');
include_once('../lib_php/two.function.php');
$x=a; $b=two($x); $c=new one; //etc..
or 要么
<?php
require_once('/home/user/lib_php/the.file.php'); This way you are taking every precaution the files are not reachable directly but can be used by your scripts... 这样您就可以采取一切预防措施,直接无法访问文件,但脚本可以使用这些文件......
解决方案3
1 2010-08-02 22:51:27
My personal preference is that anything in the document root is a .php file, to indicate it's directly executable by the web server, and anything that's a library is a .inc file stored in a parallel directory, to indicate it's NOT directly executable. 我个人的偏好是文档根目录中的任何内容都是.php文件,表明它可以直接由Web服务器执行,而任何库都是存储在并行目录中的.inc文件,以表明它不能直接执行。
My standard configuration is 我的标准配置是
/home/sites/example.com/html/ - anything here is 'safe' to expose if PHP fails and serves up raw code /home/sites/example.com/html/ - 如果PHP失败并提供原始代码,这里的任何内容都是“安全的”
/home/sites/example.com/inc/ - libraries, config files with passwords (eg the database connection class with DB credentials), etc.. Anything that shouldn't be exposed as there's no reason for it. /home/sites/example.com/inc/ - 库,带密码的配置文件(例如带有DB凭据的数据库连接类)等。任何不应该公开的东西,因为没有理由。
While you can certainly configure Apache to deny access to .inc files and keep them inside the webroot, then you're depending on Apache to keep you safe. 虽然你当然可以配置Apache来拒绝访问.inc文件并将它们保存在webroot中,但你依靠Apache来保证你的安全。 If PHP can fail within Apache and expose your code, then the .inc blocks can ALSO fail and expose your code's innards as well. 如果PHP在Apache中失败并暴露您的代码,那么.inc块也可能失败并暴露您的代码内部。
Of course, if Apache's coughing blood all over the floor, there's no reason that the directory traversal protection can't fail as well and let someone do http://example.com/../inc/seekritpasswords.txt . 当然,如果阿帕奇在全场咳血,那么目录遍历保护也没有理由也不会失败,让某人做http://example.com/../inc/seekritpasswords.txt 。
At some point you just have to accept that if something's stored anywhere on the web server, there's a possibility that a failure may allow access to the raw data and expose everything. 在某些时候,您必须接受如果某些内容存储在Web服务器上的任何位置,那么失败可能会允许访问原始数据并公开所有内容。 How much time and effort you want to expend on protecting against that is up to you. 您希望花费多少时间和精力来防范这一点取决于您。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.