Home / security

Includes can be a risk

PHP and ASP includes (.inc) can be a risk if used uncarefully.

PHP- and ASP-files, and any other serverside program language, are 'hidden'. Hidden in the way that, when accessed, not the entire code is shown, only the output is send to the browser.
This is not the case with .inc-files. These files show everything, including any password in the file. This can be a huge security risk.

There are some simple tricks to prevent this:

  • Just add php (or asp) to the end. (blabla.inc -> blabla.inc.php)
  • Tell you server not to show .inc files. (ex. .htaccess)
  • Put your .inc-files in password protected dirs or even better a directory not in your webroot (ex. ftp-dir).

Note: I use .inc because it is the most used extension for includes, but it can be any other extension.


In cooperation with SecurityHome.eu