Menu
Languages such as Perl, Pythong, etc are usually considered to have a better security comparing with PHP. Apart from possible security holes, one reason can be (I do not know, I am asking) that we do not put the executable files of Perl and Python within public folder. Since PHP files are not executable, it is safe to keep them within public folder.
Is it a wise and practical approach to keep php files outside the public folder to restrict possible access by attackers? If yes, is it common? because I do not see any disadvantage (except a little bit harder handling of file spread in different places); but if it is beneficial for improve security, it is worth of consideration. Since I do not know about the ways hackers attach a php-based website, I have no idea how it can improve security.
644
or if you prefer to create a way more simpler approach, you can do this: <? phpif ( $_SERVER['REQUEST_METHOD']=='GET' && realpath(__FILE__) == realpath( $_SERVER['SCRIPT_FILENAME'] ) ) {header( 'HTTP/1.0 403 Forbidden', TRUE, 403 );die ("<h2>Access Denied!
php. Make sure you save the file to your "server's" document root directory. Typically this is the folder named "htdocs" in your Apache folder on Windows, or /Library/Webserver/Documents on Mac, but can be set by the user manually.
PHP is as secure as any other major language. PHP is as secure as any major server-side language. With the new PHP frameworks and tools introduced over the last few years, it is now easier than ever to manage top-notch security.
If your server is properly configured and there are no bugs in your PHP code, then the contents of a PHP file cannot be accessed by the public. If it's poorly configured or there are bugs, then the contents may be available to any attacker.
Is it a wise and practical approach to keep php files outside the public folder to restrict possible access by attackers?
Yes.
If yes, is it common?
Yes.
but if it is beneficial for improve security,
Your PHP app will typically consist of many individual files. Usually, these will get included from other files. For example, you might have:
index.php
lib/db.php
lib/auth.php
In this example, since all the files are in the document root, an external user could hit the url http://domain.com/lib/auth.php and run that include file directly, independent of the auth system that's supposed to be sourcing it. Will it do anything bad when run by itself? Probably not. But to be safe, you should move the include files outside document root, thus making it impossible for the web server to serve them directly.
(Note that this vulnerability is not exclusive to PHP, and thus keeping your libs outside document root is a good practice, regardless of platform.)
119
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
