Simetrical wrote:
.inc doesn't tell you it's a PHP file. This causes some editors' syntax highlighting to become confused. If you use a PHP IDE, the only way to get it to reliably load the file on double-click is to have it load *all* .inc files, which may include some non-PHP files. Also, renaming to .inc would probably mean that the files would be served as text or HTML files when directly requested, which might cause unanticipated issues (certainly for configuration files!). Using .php but having the sole contents be class/function/variable/etc. declarations returns a blank page.
Overall, this solution is unnecessarily inconvenient, when autoloading works perfectly well.
If it works perfectly well, then why were there so many vulnerable files? You can't just say "be less stupid", human stupidity is invariant.
The developers of Drupal and Gallery seem to manage with .inc filenames, maybe you can ask them for advice on how to configure your IDE.
As for configuration files, the obvious solution, followed by both Drupal and Gallery, is to keep the configuration in a .php file. I wouldn't suggest having DB passwords in a public .inc file, any more than I'd suggest renaming index.php to index.inc, it's just a straw man.
-- Tim Starling