Keep sensitive data out of your web tree

A web server’s document structure resembles this:


If you store sensitive data like configuration files, everyone can point
the browser to and read it.

Therefore you should place sensitive data outside your web server’s
document root:


Unfortunately not all hosting providers support this.

Also don’t use any other extension than .php for files in your PHP
project. Other files can be read or could be downloaded.

2 comments so far

  1. tippy on

    How do I reference an include file if it is outside my root? Say I have
    include(“config.php”); in index.php, what would I use as a path if config.php was in /phpinc ?

  2. b23 on

    hi tippy


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: