Apache - Blocking outside access to a folder, yet PHP scripts can read

[xZAOx]

Hi. I have a "config.inc" file, that needs to be protected such that someone typing in, for example "

http://www.yourserver.com/etc/config.inc"

won't show it, yet if I had a "test.php" in the root folder of the web folders, it could print out the contents of config.inc by browsin to "

http://www.yourserver.com/test.php".

Sorry for the newbie question. I'm new to Apache

 

[sleipnir214]

Put the config file on your server's filesystem outside of your web site's document root.

PHP's filesystem functions, such as include() and require(), are not constrained to the document root but can open a file from anywhere on the filesystem. Assuming, of course, that permissions are correct.


Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[lgarner]

sleipnir's suggestion is exactly the number one thing that I would suggest.

Another thing that I do is name my include files "config.inc.php". That way, if it is visible to a web browser it will simply be execured and return no information to the browser. These files typically only set variables and definitions, and don't display anything.

 

[xZAOx]

Both great ideas. Thanks alot!

 

[Wullie]

Just another suggestion, mostly if you do not have access to put files outside of the docroot.

If you can move the file to it's own directory away from the php scripts, just drop an htaccess file in the directory with the config file. Your scripts will still be able to read it but browsers will not be able to directly.

Hope this helps

Wullie

Fresh Look - Quality Coldfusion Hosting

http://www.tutorial-world.com

The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell