On Wednesday 21 August 2002 08:15 am, Jay Blanchard wrote: > [snip] > In another thread [How do you protect individual files], Justin French > stated: > > "In real short, you want to store the files outside your htdocs root (so > they > can't be served by http) . . ." > > My PHP setup serves files from DOCUMENT_ROOT=/var/www/html. If I place > files in '/var/www/html/secure' would this provide any isolation for file > access? Am I correct in thinking that 'below' is not the same as 'outside' > doc_root, and that i this case, no protection would be afforded? > [/snip] > > Yes, and no. 'Secure' is below the root and is therfore less protected. > However, you can still use .htaccess directives to control the 'secure' > directory much more closely. The path could be hacked, but if there is a > requirement to login to that folder (because of .htaccess directives) then > the hacker will still have to come up with appropriate authentication. > > If the root is /var/www/html then outside of the root could be > /var/www/secure so that the path cannot be hacked from the browser, but you > should still apply appropriate restrictions. > > HTH! > > Jay > >Thanks Jay,
It's becoming clearer. But one question concerning: "the path could be hacked, but if there is a requirement to login to that folder (because of .htaccess directives) then the hacker will still have to come up with appropriate authentication." Since all sensitive files on my site require login (username/password) and each (https) page requires the appropriate $_SESSION variables before it'll load, I wonder whether I can leave things as they are (everything in the /html folder)? You mentioned that the "path could be hacked" -- if that's the case (even using .htaccess) would setting these sensitive files "below" the root make much difference? Tia, Andre -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
