Directories

brendan2b

I was reading the "Essential PHP Security" book part of the O'reilly series, and it explains how my database credentials should be in a private root on my website.

The only two directories I can see are public_html and public_ftp, and yes I have shared hosting, so I am not sure there is a whole lot I can do about this issue.

What are those private roots and why is it better to keep my database information in a separate file instead of my individual php files?

Also, when users log in I enable a session variable which is not a username or a password, its a variable which cannot be traced to any specific user, would i need another variable for security purposes say like a user ID variable so each user can be defined as well. I am just concerned about the security of my site. Thanks.

icm

create a new folder in the same directory as the public_html etc

posibly in the root directory that folder wont be avalible to the public but will be able to be use by the scripts in your public folders.

brendan2b

But can't people create scripts that searches my entire directory and retrieves all the paths to the files and folder, so nothing would be really hidden?

icm

Not as far as i know,

im not 100% on PHP.

Experts your question..!

Weedpacket

brendan2b wrote:
But can't people create scripts that searches my entire directory

If a web directory doesn't contain an index file, and your server is configured to provide directory listings, then people can request the directory and get a listing of its contents. Changing either condition will prevent that. Putting something outside the web document tree will also put it out of reach of anyone making requests through the web server.