laserlight;10946299 wrote:Place those files outside of the document root. What more do you want? If you cannot do that, yet you insist on having helper scripts with side effects, then too bad. Live with your lack of security.
Outside of doc_root is to prefer, if possible.
Especially for all sensitive information, like configs, personal/private stuff on you or your users.
When we run a personal server from our own computer, or have our own server elsewhere,
it is easy to put whatever outside doc_root and to config our server + php.ini reasonably strict & secure.
However, majority of website owners must take what the hosting company have to offer.
Unfortunately this almost NEVER include directories outside web root.
I do not know why.
Because it wouldnt be hard, I think, to offer clients such directories
that can not be access directly via the web.
What options are left and what people use to protect stuff:
1. store everything (as much as possible) of sensitive in one database, like MySQL.
This means that this database's data files will be located outside of web root.
In another part of the host's harddrive.
2. Very often you can use Apache + .htaccess file(s)
To completely make any other access, than your own php-scripts, impossible
we usually put an .htaccess file in the directory (e.g. /includes/)
And put this one line inside the .htaccess
Deny from All
There are a bunch of small things we can do, to make our webfiles & stuff secure from others.
If we use several different things, tricks, methods together, we can come close to our goal.
A website where we are in control of what we share and what we dont.