Re: A Study In Scarlet - Exploiting Common Vulnerabilities in P

["David Nugent" <davidn () austel net>]

> I find it good practice that PHP included files have ONLY
> function definitions, (and perhaps some assignments of
> global configuration variables.)

I find it better practice to put and organise php include files completely
outside of the web document tree regardless of how they are named. Garbage
in there is security fodder, and good habits are good habits.

php_include works perfectly and is provided for exactly this purpose - why
not return a 404 and not even give a hint to indicate that there's anything
at that location at all (because there /isn't/)..