Depends on your environment and how the script is programmed.
Two main concerns come up:
1. can someone just browse to the file and see it
2. can someone who is on a shared server somehow see the code
So, if your server is set up correctly, they will by just browsing to it (
http://www.domain.com/settings.php) will not give them the source code, so they won't see the connection information. But, it is also a good idea to add code to "included" files to prevent direct viewing. For debugging, I like seeing how long a script takes to run, so any script that should be called (directly browsed to), I start it with:
Code: Select all
<?php
define('SCRIPT_START', microtime(TRUE));
//now do any includes...
require_once('settings.php');
// rest of script...
$run_time = microtime(TRUE) - SCRIPT_START;
echo "\n\n<!-- Script Ran in ",$run_time," seconds -->\n";
?>
Then in settings.php (and all other scripts that will only be used via includes) at the very top:
Code: Select all
<?php
if (!defined('SCRIPT_START')) { die('ERROR: Invalid direct call to script'); }
// Rest of the script...
?>
Now, onto the issue of can another user on a shared hosting see it. This depends on the environment. On my server, I have cPanel installed, and the default setup for that keeps a script from accessing files outside the user directory. Not all hosts are set up that way, and if that is a case, doesn't matter if you put the script in public_html directory or not, as if YOUR script can read it, so can another users script. (or a hack shell if ends up on the server)
I used to keep things separated out, had public_html and a private_core. Now I just set up files properly, that way so easier to roll out to other server if needed.
-Greg