I know i just posted below, but i have another question.

Is it dangerous to have the <head> tag be included using PHP include? Is it dangerous to have the <body> tag or <html> tag or doctype to be included using PHP?

Actually it doesn't really matter wether you include HTML or you just write it manually in the script.

But be aware that when you either write or include things in the script such as databaseconfig or variableconfig. If due to a error, the server doesn't process the php scripts, they will be shown as regular html and then people will be able to read the php (including all the variables). They can then be able to use that to for example copy/adjust your database or get access to secure parts of the website.

To sum it up:

It doesn't matter if wether you include or write the <head>, <html> and <!DOCTYPE> tags in a php file. I recommend you always include configs that are either hidden from the user with .htacces or that are located above the webroot.


Hmm, PHP include() (and require()) are server side methods that include a file on the server to the current file. On the other hand, the <head><html> and <body> tags are client side HTML.

Not really connected at all, so to answer your question, no. It's not dangerous to have those tags.

Wow! i speedy replies! Just what i needed.

So can you elaborate a little more on how to make the include funtion more secure through the htaccess file?

If your server is the production/live server the most key things you have to do is disabling error reporting in PHP (display_errors in php.ini should be set to off) and disabling directory browsing in Apache described here and here

I obviously have directory browsing disabled but i never thought of disabling the PHP errors. I will now do that after i am done testing my PHP

And other suggestion for secure PHP include?

I don't know what else server side. Not my strong point. But if you're using a framework like Zend or CakePHP you can move your source files off the www-root so that they aren't accessible from the outside. Nothing else comes to mind.

I am not using a framework

Than you for your help!

A good way to do it is,

commented: 1:answered, 2: 5 YEARS ago, :: Etiquette requires you not to post to solved or dead threads, This is both -3