has permission to read any files that contain sensitive information, such as the database server password. PHP scripts are executed by the server before content is sent to a requesting web browser, so people won't see the password when they load a PHP page. However, included files are sometimes given names with the .inc extension. The web server only processes files with the .php extension, and sends other text files untouched to the web browser. This presents a worrisome security problem if the file contains sensitive in- formation; if a user correctly types in the URL of a header file, she'll be able to see its contents. We recommend that you always use the .php extension for header files. The web server will provide the output produced by running this script, and since the script doesn't actually print anything, a user who directly requests the include file will see only a blank page. If you choose to use an extension other than .php, you should place the include files outside the web server document tree, so that the web server does not serve the file to users; this can lead to difficulties with maintenance because the application files won't all be located together. Alternatively, you can tell the web server to refuse access to files with that particular extension. For the Apache web server, you can do this by adding the following directives to the httpd.conf configuration file and restarting the server: <Files ~ "\.inc$"> Order allow,deny Deny from all