.inc files?

Sharif

What are .inc files used for?

leatherback

Hi,

The inc (=incude) files are used to place specific variables / routines which you need on multiple pages in. Say, your whole header/menu could be an include. then, when you want to =change the structure of the header, you only have to change the .inc file to update the whole site.

Sharif

So how can I use them? Just put a include() function? If I do that, wouldn't it print out all the content?

leatherback

Hi,

If you place them in you're PhP pages, PhP will include the section FIRST, and then proicess the whole code, as if it were coded in one file.
Yes, you can just include it, or you can require() the page (Look at the manual for subtel differences between the two, use the search button on top of this page, on the right and search for require).

Sharif

So would this work:

connection.inc has:

$dbHOST = "localhost";
$dbUSER = "root";
$dbPREFIX = "ABC_";
$db = $dbPREFIX . "DEF";

and connection.php has:

<?php

include('connection.inc');
echo $db;

?>

Unfortunately, connection.php returns this:

$dbHOST = "localhost"; $dbUSER = "root"; $dbPREFIX = "ABC_"; $db = $dbPREFIX . "DEF";

Why?

ereptur

You need to put in the <?php ?> tags in your include files as well

leatherback

Try:

connect.inc:

<?php
$dbHOST = "localhost"; 
$dbUSER = "root"; 
$dbPREFIX = "ABC_"; 
$db = $dbPREFIX . "DEF";
?>

Sharif

OH NOW YOU TELL ME!.. jeez 😃

leatherback

Hey!

It is 1 am here right now..

I deserve a bit of leeway ok?

I suppose I will just go to bed then.

Hm.. empty bed.. How attractive it that..

PC -- Bed ...
???

😕 😃

Xoid

Hi Sharif!

Don't use .inc files to store your connection routines because .inc files can be displayed as ordinary text files which is a major security risk! always store your connection routines in a .php file in fact I would not use .inc files at all to be honest with you.

e.g.

<?php
include("connection.php");
?>

Hope this helps!

leatherback

Good point Xoid.

(In actually changed myself recently too. Should have made the remark...)

:eek: :mad:

😃

ereptur

Many people use .inc.php to help makes this process secure, yet still easy to discern at a quick glance.

e.g. connection.inc.php.

Then you can see that the file is meant to be included and it will be process as php if someone tries to get at it directly.

Alternatively, you can also store the include files outside of the document root.

Or, you could just add .inc files to the AddType directive in your Apache file (if you're using Apache). Then they will be processed as PHP files anyway.

All things to consider.

Xoid

indeed, but why both saving a file as connection.inc.php ?

easier just to save it as connection.php

for security and easy of use I would just use .php extensions, but, hey that's just me 😃 :rolleyes:

HalfaBee

I just want to add, that if you are on a shared unix server make sure the files are chmod 600 so no one else can read them.

HalfaBee

philipolson

A files extension means absolutely nothing to PHP, PHP could care less what extension the file has. .inc .foo .php .phtml .whateveryouwant ... all can be included just the same. What does matter is PHP tags, PHP tags will get parsed nomatter the extension.

Now the web server is a different story. You can tell your web server to parse .php as PHP, this is common, but you can also tell it to parse .anythingyouwant extensions as PHP, or Perl, or not at all. Typically .inc shows as plain text because the web server doesn't recognize and passes it off as the default type, which is often type text.

Using .php as an extension is okay but certainly not ideal because most likely you don't want the code to parse at all when called by itself. Ideally you'd use an extension that won't parse at all and better yet these files will be outside the document root but in the real world people put includes in the document root. An example for disallowing direct access to .inc files through Apache via .htaccess or httpd.conf is:

<Files "*.inc">
Order allow,deny
Deny from all
</Files>

laserlight

If you are not going to distribute the code, then it should be a simple matter to use what extension you like then modify the webserver's config file to get it parsed as PHP.

On the other hand, if you are going to distribute the code, change your include files filename.inc.php probably would be safer, since some ppl cant change their config files, or dont have access to space outside their document root etc.

PHP tags wont get parsed no matter what the extension.
The PHP code within them will get parsed if the file extension is recognized for parsing.

Actually, I think that in "filename.inc.php", the filename is actually "filename.inc", not too sure about that though.

Xoid

yes laserlight, it is .inc but there are significant disadvantages in naming files with .inc on alot of servers you can actually download these files and any code within the file, many coders keep database connection details within .inc files which is asking for trouble.

If the user cannot change the config file then it's safer to use .php

Sharif

Is this okay:

I use .inc files but then CHMOD them 600 so only I can read and write them? If I CHMOD them to 600, can my pages still access and include them?

philipolson

PHP tags wont get parsed no matter what the extension.
The PHP code within them will get parsed if the file extension is recognized for parsing.

Actually, I think that in "filename.inc.php", the filename is actually "filename.inc", not too sure about that though.

I was of course talking about includes, not directly called through the web server (like via the browser). Sorry for the miscommunication. The extension does not matter one bit for includes.

Regarding filename.inc.php, the extension is .php, not .inc. Well, I don't remember how Windows works but in *nix the extension would be seen as .php as . is a valid character that can be used in filenames.

ereptur

Originally posted by Sharif
Is this okay:

I use .inc files but then CHMOD them 600 so only I can read and write them? If I CHMOD them to 600, can my pages still access and include them?

Actually, no. Your webserver always needs to have read access to your files and hence, someone browsing your site still has read access to your files.

If you do not have access to your php.ini file or your httpd.conf file, then the best solution is to name your files with the .inc.php extensions.

Otherwise, it would be best to use the Files directive shown in an eariler reply on this topic.