Posted by samudasu on 02/18/06 05:24

To start off with, opening a php file won't show you php code. It only
shows the results of the php script after it's run. ftp should be
password protected, no one but you will have this password.

I've found that placing sensetive files above document_root works
nicely like you've mentioned. Here's how it's done:
/usr/local/apache/htdocs/ is the doc root.
Make a /usr/local/apache/incfiles/ dir to keep sensitive files, db
connect srcipts, user/pass info, etc. Users have no direct access to
these files since they're not in the doc root. Files in this dir are
used with the include() or require() functions. Users don't need
permission to this folder so there are no special permissions required.
The apache user (usually nobody) will access the files.

example:
/usr/local/apache/htdocs/verifylogin.php is a page you can guess what
it does.
I want to include() the script
"/usr/local/apache/incfiles/chkpass.inc.php" in verifylogin.php that
connects to the db and check the clients username password.

verifylogin.php...

<?php
include'../incfiles/chkpass.inc.php';
?>
<html>
<body>
<?php
if user/pass correct
show this
if user/pass failed
show this
?>
</body>
</html>

If you view source of verifylogin.php you'll see no php code and no
path / reference to /usr/local/apache/incfiles/chkpass.inc.php.

[Back to original message]