Isn't having all of the files in public view a bad thing?
Surely things such as /system/application/config/database.php should not be publicly visible!
+10
A:
The developers of CodeIgniter, EllisLabs, have set up the framework in this way for ease of use. It means that people wishing to try out the framework don't have to fiddle with any permissions settings on their server.
Of course on a production server, you are absolutely right, putting your PHP files in the public HTML folder is not a good idea.
A better way to organise your folders would be:
- root
- code_igniter
- application_folder
- config
- controllers
- models
- ...
- system_folder
- application_folder
- public_html
- css
- js
- images index.php .htaccess
- code_igniter
The only other change to be made here would be to change line 26 of index.php to read:
$system_folder = "../../code_igniter/system-folder";
Jon Winstanley
2009-11-30 21:35:18
I also like to pull the application folder out of the CodeIgniter folder. I rarely touch CodeIgniter's source and this saves me one level of nesting.
MiseryIndex
2009-11-30 21:44:22
it also means you can reuse the code igniter install for another app without replicating it in its own directory
Matt
2009-11-30 22:25:47
with this setup you also need to change $application_folder in index.php from the default
mrinject
2009-12-01 02:02:14
A:
Accessing the files within /system/ from a browser will not reveal any sensitive information, because the PHP will be parsed and nothing is output from those files (CI system files may even check to see if a variable has been defined that indicates the file wasn't accessed directly).
That being said, however, you should probably install your entire system folder above web root anyway.
Ty W
2009-11-30 21:36:09
Unfortunately, sometimes, PHP doesn't get parsed -- usually due to administrator error. That's how all that Facebook source got leaked a while back. That's why you should keep everything out of world-accessible paths to begin with. It's the difference between locking your valuables in your glovebox, and not leaving them in the car in the first place.
Frank Farmer
2009-11-30 21:41:15
A:
You can always place the system directory outside the public directory. Don't forget to update paths inside the the front controller (index.php).
MiseryIndex
2009-11-30 21:38:30
+4
A:
You can add the following rule to your .htaccess file to further protect the system and application directories from being viewed (sends a 403 Forbidden error):
# Protect application and system files from being viewed
RewriteRule ^(application|system) - [F,L]
cballou
2009-11-30 21:42:12