[FX.php List] Web Root Directory - clarifying exactly *which* folder?

Joel Shapiro jsfmp at earthlink.net
Thu Oct 16 17:19:35 MDT 2008


Good question, Webko.

I don't understand how it's a risk, but I've certainly seen numerous  
places state that for best security one should keep config files  
outside of the web root directory.

Anybody have any more insight?  Is this really unnecessary?

-Joel


On Oct 16, 2008, at 3:40 PM, Tim 'Webko' Booth wrote:

>>>> I know it's a good idea to keep passwords etc out of the web "root
>>>> directory" so no one can access them via the Web.  I generally  
>>>> err on
>>>> the side of caution but am curious about exactly *which* folder  
>>>> that is.
>
> Actually, why is this the case?
>
> Now, let's say I have a config file at a known web address - when  
> you load that file, as it is all inside php tags, nothing shows up  
> via the web... and if your machine is compromised enough for people  
> to be able to see the raw file (pre-processing), then it's probably  
> compromised enough for people to see other places as well...
>
> Happy to be enlightened on this though...
>
> Webko
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list



More information about the FX.php_List mailing list