Never, EVER, neverever in life …

… should you include put a file with your database passwords in your web document root and give it an .inc extenstion.

I ran across an example of this today and it’s just a really bad practice. These files are web-readable, and by saving it as an .inc file, you are exposing your data to whoever stumbles across ‘db.inc’ or ‘globals.inc’.

If you must save files in your document root, save them with a .php extension (.php files are better, but at least one developer argues not by much.)

UPDATE: Ben Ramsey fills me in on the reasoning behind Chris Shiflett’s mandate.

There is a twofold reason Chris says that storing PHP includes within the Web root is not a good practice (there may be more than two reasons, but there are two that I know of):

1. your PHP scripts should never be accessed out of context, and leaving an include file within the Web root allows users to execute it out of context, potentially doing things you didn’t intend them to do, and
2. on the off-chance that the server crashes and reboots — but Apache doesn’t quite load PHP successfully — and it takes 30 minutes to an hour or more to get your hosting company to fix it, then all of your PHP files will be readable to the public as plain text, exposing your code and any passwords contained therein.

Both reasons are enough to convince me to place only those files that need to be accessed directly by the client in the Web root and all others above it.

Sound advice.