security with include question.

fristi

Hi,

I was wondering why some ppl include their passwords and such (like login info for a sql database) with an include(pass.php) statement. Why not just hardcode the password in the normal script, why use a seperate file? If they could get into your normal script, what is stopping them from getting into the file with the passwords?

thanks for any replies

TheDefender

The idea is to place the include in a protected folder (not in the document root directory).

jordy

There are certain avantages of including passwords and such in separate scripts. The first one is given.. so you can secure the the file outside of the documentroot.

another reason would be code-recycling. I usually use a config.inc file to include all the configuration items for my site. If i build another site or migrate the site to another server i only have to change the config.inc file. With a simple .htaccess file (on a apache server) i can secure the file.

fristi

I see now. Thanks for the explanation, I appriciate it 🙂