Page 1 of 1

location of important connect file and protecting php files

Posted: Sat Nov 29, 2008 10:32 pm
by mainegate
Where should I put my connect.php file that has my database info it? I have been reading not the same directory and it should not be in the root. If so then how would do I get down to that directory when I'm including? Is there something I can do in a system file to know where to look or something?

Also, Is there anyway to protect php files from being read or written or anything but still have it run when it is called? I know it sounds weird but I have info in there that I don't want hackers to know (hash info and the like). Is there a way to protect the php files whether it be through encryption and/or read/write/execute access?

Re: location of important connect file and protecting php files

Posted: Sun Nov 30, 2008 12:32 am
by SidewinderX
mainegate wrote:Where should I put my connect.php file that has my database info it? I have been reading not the same directory and it should not be in the root. If so then how would do I get down to that directory when I'm including? Is there something I can do in a system file to know where to look or something?

Also, Is there anyway to protect php files from being read or written or anything but still have it run when it is called? I know it sounds weird but I have info in there that I don't want hackers to know (hash info and the like). Is there a way to protect the php files whether it be through encryption and/or read/write/execute access?
I generally keep my "config" file in my root directory, perhaps it is a bad practice, but it has never been the source of an exploit. You could however place your connect.php file in your home directory which will prevent http access to the file. You can include it using the absolute path (assuming a Linux environment) /home/username/connect.php or a relative path using a directory traversal. From your root directory, a file in your home directory would be located ../connect.php - notice the ../

If you want to "encrypt" your php files you could use the ionCube Encoder or the Zend Encoder, but those two pieces of software are not free, and there are decoders out there.

Re: location of important connect file and protecting php files

Posted: Sun Nov 30, 2008 2:19 am
by Eran
put your config file outside of the accessible document root directory. If you have the following typical setup:

Code: Select all

 
/
/public_html/
...
 
Assuming /public_html is the document root, everything that should be accessible from a browser should go there. Anything that shouldn't should be outside. Suppose you have a bootstrap file under /public_html called index.php, and your config.php file is one up in the folder hierarchy, include it:

Code: Select all

 
//index.php
$base = dirname(__FILE__);
require_once(dirname($base) . '/config.php');
 
This way even if the PHP module fails on your apache (which happens more than you'd think), your configuration file with your sensitive information will not be accessible.

Re: location of important connect file and protecting php files

Posted: Sun Nov 30, 2008 3:47 am
by mainegate
That is awesome. Thanks pytrin.