[RESOLVED] Folder Structure - security

firecircle

I've read that to prevent leaching the image directory should be outside the public root. I've also gotten the impression that folders such as library etc. should also be above the root.

My site will have an image gallery (mysql), with an login-admin page to allow myself to add/delete images.

Would a directory structure like this make sense?

www.site1.com/index.php
www.site1.com/gallery/index.php
www.site1.com/gallery/login.php

site1/library/
site1/images/
site1/image-admin

I'm very new to PHP and web design, and am finding it impossible to make sure that I'm doing things right.

laserlight

I've read that to prevent leaching the image directory should be outside the public root.

No. The images will eventually be served to the client, and once the client has it, the client can save it. If I understand the issue correctly, if you put the images outside of your document root, then it becomes a little harder to serve them (but not by much, if you are following the principle that the physical structure of your website as represented by the file paths (which are themselves a logical structure with respect to disk) is not necessarily the same as its logical structure as represented by the URLs).

I've also gotten the impression that folders such as library etc. should also be above the root.

You could do that since you can include them in your PHP scripts. However, the files that really benefit from being above the document root are those that contain sensitive data like database login credentials. The idea is that even if the server somehow fails to invoke the PHP interpreter and serves the PHP scripts as plain text, the user will only see the code that includes this sensitive file and not the actual login credentials.

firecircle

Hmm. Thanks. More to think about.