views:

44

answers:

3

I've seen recommendations to store some or all php include files some place other than in the web document root directory (username/public_html in my case) for the specific reason of protecting php files with sensitive information (like database connection and login info) in the event that the web server hiccups and stops protecting php files and they become 'visible' to outsiders who know where to look.

It seems somewhat paranoid to me, but I'm guessing people have gotten burned badly on this before so I'm willing to go along. The suggestion usually takes the form of having the include files in something like '../include_files/' so its not directly in the document root and not directly accessible to outsiders through the web server.

My question is this: is there a significant difference in security between that way and just putting your 'include_files' directory under the document root and sticking an .htaccess file in there (with the appropriate entries)? Would putting an .htaccess file in '../include_files/' make any significant improvement there?

TIA,

Monte

+4  A: 

It really depends on what you have in your include_files. The most important thing is that you put any credentials you have outside of the document root ( database logins, etc ). Everything else really is secondary and doesn't matter that much.

If you don't want anyone stealing your source code then try to follow Zend conventions:

application
library
public

DocumentRoot points to public and that just contains media files, js/css files. HTML/views, db logic, conf/credentials are in application. Third party libraries are in library.

meder
+2  A: 

Using .htaccess adds overhead since Apache has another item it needs to check for and process.

Keeping files out of web root isn't being paranoid, it's good practice. What happens if someone accesses one of the "include" files directly and it throws out revealing errors because all the pre-requisite files weren't loaded?

Each file needs to have it's own security checks to make sure it is running under the expected environment. Each executable file in a web accessible area is a potential security hole.

Brent Baisley
+1 for pointing out the performance downside of .htaccess (also, if you specify AllowOverride None, Apache doesn't even look for the file). Agreed on your other points w/regards to keeping the files out of the document root; it takes a couple of minutes to set up (especially with an __autoload/spl_autoload_register), so why not do it?
El Yobo
A: 

Theoretically, if you just stick a .htaccess file in the folder, you could still have the .php files called directly.

Taking them out of the server root; however, keeps them from be accessed ever by someone who is browsing your website.

Aaron Harun