Keeping files out of docroot

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Keeping files out of docroot

Post by alex.barylski »

Most would agree that this is safest best, but is it really that much better than a system that uses .htaccess, either passwords or mod_rewrite or similar?

So long as Apache is configured properly...wouldn't the latter be just as good?

Cheers :)
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

it doesn't seem to make a huge difference, but keeping some stuff outside your docroot will keep it from colliding with a changing directory structure. OK.. kind of a weak argument...

I guess my actual opinion is: meh.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Well, it is all about whether or not Apache is configured properly: someone might accidentally nuke the configuration and expose sensitive files. But yeah, theoretically speaking if Apache's not allowed to touch it, it won't.
Post Reply