gaping security hole

last night i could be heard saying "i'm not too concerned about security." this morning i got an email from yet another kind visitor pointing out that my .inc files, including the one with all my passwords, were being presented by the server as plain text when called directly. so anyone could get my database password, my del.icio.us password, and my google api key. suddenly i became concerned about security.

i added the following line to my .htaccess file to make the server parse .inc files just like .php files (as my previous server did):

AddType application/x-httpd-php .inc

which solved the problem. then i changed all my related passwords. no harm done.

so now i'm back to not being concerned about security. after recovering from my initial freak-out mode, i realized that access to the database is restricted to certain IP addresses, so the password alone will not do much unless you are one of my neighbors sharing my IP address. and my del.icio.us posts are now automatically backed up on the links page, so no worries there. and my google api key is pretty much worthless. but still, putting passwords in a publicly-viewable text file is probably not a good idea.

 
 
 
Ick! You should think about placing your inc files in a location above your web-accessible directory. If your document root is "/home/your_username/public_html", do not place them underneath that directory but rather in, "/home/your_username/php_incs/" and then reference that location. This way no one can ever read your files, regardless of whether or not you protect using .htaccess ot other methods. Well, if you're on a shared server you'll want to be sure that read/write permissions and proper ownership exists.
 
 
 
 
i've read that suggestion, tom, but other than my passwords file, i actually want people to be able to read my .inc files. everything else on randomchaos.com is open-source (see the link at the bottom of each page). i could still do the source viewer if i moved .inc files out of the public html directory, but it would mean more exclusions in the code, which means more places where things can go wrong.
 

Be number 3:

 
 
 
knows half of 8 is