Posted by Gordon Burditt on 12/10/06 19:48

>> you could place it outside the Document Root or within a protected
>> directory.
>
>I did just that and I created an .htaccess file in the directory to
>allow apache to protect it. I'm still a little insecure tho'. I can't
>seem to get to the directory using browser so why the need to protect
>it with .htaccess?

PHP will occasionally break (when you're in the middle of upgrading it)
and the web server may at that time serve up .php files without running
them. By putting the file outside the document root, you're protected
two ways:

- If PHP isn't working, you can't serve the file containing the
file because it's outside the document tree.
- If PHP *IS* working, you won't serve the file, it will just
be run as PHP.

Also, the file should be readable by the user running PHP but not by
all users.

>My guess is that there will always be the potential
>to get into this directory via url hacks.

That would be a pretty serious bug in Apache.

>Also I was able to dowload
>the file via ftp from the command line. How to stop that?

Were you able to download the file via *Anonymous* ftp?
If so, you've got a big problem. If it's via non-anonymous FTP,
keep your password secure.

[Back to original message]