Include Files
The Web server knows that a file is a PHP file by looking at the .php extension. Thus when you request a PHP page from the server, it first lets PHP interpret that file and then shows the results. If the server does not recognize the file extension, it will normally just show the contents of the file.
Sometimes it happens that a PHP script needs to include other files as part of itself. A lot of programmers have a tendency to name those include files with a .inc extension. The problem here is that if the server is not aware that those files are actually parts of PHP scripts, it will just show the code to whoever requested it. This gives attackers the opportunity to study the code for security holes all they want and to see any hard-coded data that may be secret.
There are several ways to prevent this. One way is to name all include files with a .php extension (or .php3, or whatever the server associates with PHP) so that the server will interpret them instead of showing them. Another possible solution is to associate .inc files with PHP. Yet another solution would be to prevent all .inc files from being displayed. In Apache, the last can be achieved by something like this:
<Files ~ "\.inc$">
Order allow, deny
Deny from all
</Files>
This must be a section in the httpd.conf file.
Probably the safest thing to do, however, would be not to put .inc files under DocumentRoot at all. Put them somewhere else and change include_path in php.ini. This way only your PHP scripts will be able to get to them and the Web server won't even see them.