[FX.php List] Web Root Directory - clarifying exactly *which* folder?

Dale Bengston dbengston at tds.net
Thu Oct 16 19:10:23 MDT 2008


Seems weird to me, because then you'd need to give the www user access  
to a directory outside the web root, and that creates its own security  
problems.

Dale


On Oct 16, 2008, at 6:19 PM, Joel Shapiro wrote:

> Good question, Webko.
>
> I don't understand how it's a risk, but I've certainly seen numerous  
> places state that for best security one should keep config files  
> outside of the web root directory.
>
> Anybody have any more insight?  Is this really unnecessary?
>
> -Joel
>
>
> On Oct 16, 2008, at 3:40 PM, Tim 'Webko' Booth wrote:
>
>>>>> I know it's a good idea to keep passwords etc out of the web "root
>>>>> directory" so no one can access them via the Web.  I generally  
>>>>> err on
>>>>> the side of caution but am curious about exactly *which* folder  
>>>>> that is.
>>
>> Actually, why is this the case?
>>
>> Now, let's say I have a config file at a known web address - when  
>> you load that file, as it is all inside php tags, nothing shows up  
>> via the web... and if your machine is compromised enough for people  
>> to be able to see the raw file (pre-processing), then it's probably  
>> compromised enough for people to see other places as well...
>>
>> Happy to be enlightened on this though...
>>
>> Webko
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list



More information about the FX.php_List mailing list