I include a php file from a folder that's below the root directory of my website. This included file has some sensitive information and I was wonder how secure this file is? Is it something I should be concerned about? Is there a way that someone can gain access to this file?
The safety of a folder below the root?
if the file extension is php, and the contents are stored in variables there shouldn't be a problem. of course, its allways best to store sesative material outside of root, but if you cant avoid it make sure the file is .php and if viewed produces no output.
Maybe I didn't use the correct terminology. My directory structure looks like this:
./include
./www.website.com
So "include" is outside of the root. Judging by your reply, Thorpe, it sounds like storing my includes outside of the root is fairly secure. Is there anything that I should be concerned about with storing sensative material in this directory? Are there known ways for people to attack or gain access to this directory (other than knowing my FTP info)?
they shouldn't be able to access anything outside of your root directory.
If you're using apache, rename your include files with a .inc extension then add the following to either the .htaccess file or httpd.conf
<Files ~ ".inc$">
Order allow,deny
Deny from all
Satisfy All
</Files>
This can also be done under IIS, but that is left as an excersize for the reader :evilgrin: