Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Storing script files outside web root

Tags:

php

.htaccess

I've seen recommendations to store some or all php include files some place other than in the web document root directory (username/public_html in my case) for the specific reason of protecting php files with sensitive information (like database connection and login info) in the event that the web server hiccups and stops protecting php files and they become 'visible' to outsiders who know where to look.

It seems somewhat paranoid to me, but I'm guessing people have gotten burned badly on this before so I'm willing to go along. The suggestion usually takes the form of having the include files in something like '../include_files/' so its not directly in the document root and not directly accessible to outsiders through the web server.

My question is this: is there a significant difference in security between that way and just putting your 'include_files' directory under the document root and sticking an .htaccess file in there (with the appropriate entries)? Would putting an .htaccess file in '../include_files/' make any significant improvement there?

TIA,

Monte

like image 328
memilanuk Avatar asked Jun 14 '10 00:06

memilanuk

Video Answer

2 Answers

It really depends on what you have in your include_files. The most important thing is that you put any credentials you have outside of the document root ( database logins, etc ). Everything else really is secondary and doesn't matter that much.

If you don't want anyone stealing your source code then try to follow Zend conventions:

application
library
public

DocumentRoot points to public and that just contains media files, js/css files. HTML/views, db logic, conf/credentials are in application. Third party libraries are in library.

like image 60
meder omuraliev Avatar answered Nov 19 '22 07:11

meder omuraliev

Using .htaccess adds overhead since Apache has another item it needs to check for and process.

Keeping files out of web root isn't being paranoid, it's good practice. What happens if someone accesses one of the "include" files directly and it throws out revealing errors because all the pre-requisite files weren't loaded?

Each file needs to have it's own security checks to make sure it is running under the expected environment. Each executable file in a web accessible area is a potential security hole.

like image 32
Brent Baisley Avatar answered Nov 19 '22 06:11

Brent Baisley
Sign in to Comment

Related questions

PHP.ini Default Dir Extensions
Custom payload with Laravel JWT
How to change cell color in PHPSpreadsheet
Google Calendar API Service Account Error
What do I need for a compliant email header
Zend Framework: Proper way to interact with database?
Janrain's PHP-OpenID and Google/Yahoo
403 Forbidden response – what should I look for?
Which is better: mysql_connect or mysql_pconnect
PDO: check for updated or inserted record using mysql INSERT ON DUPLICATE KEY UPDATE
Application scope in php
Is there a possibility of there ever being a PHP.NET?
Authorizing a Facebook Fan Page for Status Updates
Replace all certain character except first occurrence in PHP
Can I use Facebook's hiphop with frameworks like Zend Framework, cakephp, symfony
wp_rewrite in a WordPress Plugin
CodeIgniter global variable
How to find the dates between two specified date?
PHP vs BASH for CLI scripting? [closed]
Detecting file upload size on the client side?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!