Page 1 of 1
What level of security would this provide?
Posted: Thu Aug 22, 2002 9:55 am
by dlgilbert
I'm writing an application that puts data files in a specific directory. Assuming the directory is NOT outside the web tree, would it provide an adequate level of security to put an .htaccess file in the data directory with "Deny from all" in it? There are no "web page" files in the data directory, just files that will be accessed by the application scripts.
I *can* put the data directory outside the web tree, but I've seen this done in another application and was intrigued.
Thanks for your help!
Posted: Thu Aug 22, 2002 10:01 am
by llimllib
To my mind, that would be secure. The only worry I have is if you switch the site's servers to one without .htaccess files - it would be more portable to be outside the web tree. Plus, if you put it outside the tree, you just don't have to worry about it.
Posted: Thu Aug 22, 2002 10:12 am
by nielsene
My only concern, on top of llimllib's comments: does your webserver have write permission to that directory? Does your application write data to this place while its running, or is this only preloaded files by you? (This actually applies regardless of if the directory is in/out of the webtree.) If the answer to these questions is yes you just have to be extremely careful with trusting the data in the directory.
Posted: Thu Aug 22, 2002 10:20 am
by dlgilbert
The top-level directory would be created manually and the webserver would have write access to it. The application would create subdirectories and write data files (and update them) dynamically. The same would apply if the directories were outside the web tree.
Basically, I'm using text files to store data instead of using MySQL, because the quantity of data is pretty small and I want the app to have as little dependence on other systems as possible.