Keep sensitive data out of your web tree

A web server’s document structure resembles this:

/htdocs
    /include
        config.inc
    index.php

If you store sensitive data like configuration files, everyone can point
the browser to http://example.com/include/config.inc and read it.

Therefore you should place sensitive data outside your web server’s
document root:

/htdocs
    index.php
/phpinc
    config.php

Unfortunately not all hosting providers support this.

Also don’t use any other extension than .php for files in your PHP
project. Other files can be read or could be downloaded.

Advertisements

2 comments so far

  1. tippy on

    How do I reference an include file if it is outside my root? Say I have
    include(“config.php”); in index.php, what would I use as a path if config.php was in /phpinc ?

  2. b23 on

    hi tippy

    include(“../phpinc/config.php”);


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: