I'm wondering if there's some kind of criteria that can be used to determine where a script or file should go.
views:
69answers:
2
+4
A:
If you don't mind the possibility that anyone might be able to see the contents then put it inside the web path. Otherwise keep it outside.
Inside: anything publicly available - images, javascript, css, static content. You'll be putting less strain on the server and will automatically be taking advantage of whatever caching and compression services it has.
Outside: Anything private. Script files, with password and other sensitive details, might be vulnerable if a server failure results in them being served as text instead of being parsed.
Ken
2008-11-19 13:08:37
I never even thought about a server failure resulting in a script being delivered as text, even though this has happened to me (not a failure, just an improper configuration when setting up the server, but same idea).
Thomas Owens
2008-11-19 13:16:22
@Ken - wouldn't you still be vulnerable to serving up scripts as text no matter where they lived? Seems a bit of overkill for not much benefit (the other Kev).
Kev
2008-11-19 13:47:42
@Kev - depends how you access them. In PHP I use simple scripts under the document root which then "include" what they want from outside. If these are served as text all that will be served up is an innocuous list of includes.
Ken
2008-11-19 14:10:06
@Kev - ...but yes, if you are serving them through alias/mod_rewrite magic then you are still vulnerable
Ken
2008-11-19 14:13:52
+1
A:
Its usually best to keep it outside but of course it all comes down to personal preference. I don't think there's any set rule pertaining to this
FailBoy
2008-11-19 13:31:02