Menu
I have finished my PHP project development. It was developed locally on my PC. Now I am ready to upload it on my web server and make it publicly accessible.
However, one thing bothers me: Currently, all the PHP files are in my WWW folder with all the HTML, JavaScript, CSS, and image files. PHP files are sensitive, as they access MySQL Database and often contains password and file paths that are meant to remain secret from the users.
If I leave the PHP files within the WWW directory, am I afraid they can become accessible to the public, similar to the other files and images? I am so scared that skilled users can download and read them and reveal secret information about my web server.
Are my worries legit? Does the web server automatically hide .php files? Should I move the PHP files to another location, away from the WWW folder? Is there any other way to protect my PHP files from being downloaded?
I am using:
537
It's pretty safe. If you have PHP installed, your web server will always try to run the PHP file rather than showing its code, and even if the code fails, you will get an error message or a blank page rather than the code.
Apart from that, you can use .htaccess or other server configuration to disable viewing of those files.
But... It must be said that if any of these settings are configured incorrectly, the web server may serve the PHP files as plain text files!
So I think moving all PHP files out of the www folder is a good idea if they should not be accessed directly. You'll often find only one index.php that handles all requests and includes other PHP files. PHP files not in www (the document root) can still be included, so it's a good safety measure to put them in a separate folder. That way, you reduce the risk of exposing those files when you make a tiny configuration error.
After all, even when it worked before, it's very easy to break it. Maybe you want to tweak your configuration or are on a shared host where the hosting provider might make changes without you knowing, so it's just a wise thing to do.
So... It is a good idea to move files out of the www folder. It's usually straightforward to do this (although it depends on your application structure), so it's just an extra safety measure that won't cost you a dime. And if it's hard (due to your current application structure) to completely move all files out of the document root, make sure that at least configuration files with passwords are outside of the www folder, followed by database access files that might expose any security issues you might have in your implementation.
134
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
