I found a script in Google for user registration system.
It has 20 different files and also It has a "settings.php" file where my username and password of database is written.
My concern is about the place of the files.
Is it safe to put them "public_html" folder,
or should i hold the password file out of the "public_html" folder,
or should i totally put all script files out of "public_html"??
Thank you.
Where to hide mysql files?
Moderator: General Moderators
Re: Where to hide mysql files?
Depends on your environment and how the script is programmed.
Two main concerns come up:
1. can someone just browse to the file and see it
2. can someone who is on a shared server somehow see the code
So, if your server is set up correctly, they will by just browsing to it (http://www.domain.com/settings.php) will not give them the source code, so they won't see the connection information. But, it is also a good idea to add code to "included" files to prevent direct viewing. For debugging, I like seeing how long a script takes to run, so any script that should be called (directly browsed to), I start it with:
Then in settings.php (and all other scripts that will only be used via includes) at the very top:
Now, onto the issue of can another user on a shared hosting see it. This depends on the environment. On my server, I have cPanel installed, and the default setup for that keeps a script from accessing files outside the user directory. Not all hosts are set up that way, and if that is a case, doesn't matter if you put the script in public_html directory or not, as if YOUR script can read it, so can another users script. (or a hack shell if ends up on the server)
I used to keep things separated out, had public_html and a private_core. Now I just set up files properly, that way so easier to roll out to other server if needed.
-Greg
Two main concerns come up:
1. can someone just browse to the file and see it
2. can someone who is on a shared server somehow see the code
So, if your server is set up correctly, they will by just browsing to it (http://www.domain.com/settings.php) will not give them the source code, so they won't see the connection information. But, it is also a good idea to add code to "included" files to prevent direct viewing. For debugging, I like seeing how long a script takes to run, so any script that should be called (directly browsed to), I start it with:
Code: Select all
<?php
define('SCRIPT_START', microtime(TRUE));
//now do any includes...
require_once('settings.php');
// rest of script...
$run_time = microtime(TRUE) - SCRIPT_START;
echo "\n\n<!-- Script Ran in ",$run_time," seconds -->\n";
?>Code: Select all
<?php
if (!defined('SCRIPT_START')) { die('ERROR: Invalid direct call to script'); }
// Rest of the script...
?>I used to keep things separated out, had public_html and a private_core. Now I just set up files properly, that way so easier to roll out to other server if needed.
-Greg