Storing script files outside web root

Posted by memilanuk on Stack Overflow See other posts from Stack Overflow or by memilanuk
Published on 2010-06-14T00:31:35Z Indexed on 2010/06/14 0:42 UTC
Read the original article Hit count: 300

Filed under:
|
|

I've seen recommendations to store some or all php include files some place other than in the web document root directory (username/public_html in my case) for the specific reason of protecting php files with sensitive information (like database connection and login info) in the event that the web server hiccups and stops protecting php files and they become 'visible' to outsiders who know where to look.

It seems somewhat paranoid to me, but I'm guessing people have gotten burned badly on this before so I'm willing to go along. The suggestion usually takes the form of having the include files in something like '../include_files/' so its not directly in the document root and not directly accessible to outsiders through the web server.

My question is this: is there a significant difference in security between that way and just putting your 'include_files' directory under the document root and sticking an .htaccess file in there (with the appropriate entries)? Would putting an .htaccess file in '../include_files/' make any significant improvement there?

TIA,

Monte

© Stack Overflow or respective owner

Related posts about php

Related posts about web-development