Why are CodeIgniter application files in the public_html folder?

Question

Isn't having all of the files in public view a bad thing?

Surely things such as /system/application/config/database.php should not be publicly visible!

Answer 1

The developers of CodeIgniter, EllisLabs, have set up the framework in this way for ease of use. It means that people wishing to try out the framework don't have to fiddle with any permissions settings on their server.

Of course on a production server, you are absolutely right, putting your PHP files in the public HTML folder is not a good idea.

A better way to organise your folders would be:

• root
  • code_igniter
    • application_folder
      • config
      • controllers
      • models
      • ...
    • system_folder
  • public_html
    • css
    • js
    • images index.php .htaccess

The only other change to be made here would be to change line 26 of index.php to read:

$system_folder = "../../code_igniter/system-folder";

Answer 2

You can add the following rule to your .htaccess file to further protect the system and application directories from being viewed (sends a 403 Forbidden error):

# Protect application and system files from being viewed
RewriteRule ^(application|system) - [F,L]