Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Most would agree that this is safest best, but is it really that much better than a system that uses .htaccess, either passwords or mod_rewrite or similar?
So long as Apache is configured properly...wouldn't the latter be just as good?
it doesn't seem to make a huge difference, but keeping some stuff outside your docroot will keep it from colliding with a changing directory structure. OK.. kind of a weak argument...
Well, it is all about whether or not Apache is configured properly: someone might accidentally nuke the configuration and expose sensitive files. But yeah, theoretically speaking if Apache's not allowed to touch it, it won't.