Posted by Gordon Burditt on 04/11/06 22:58

>This is a PHP question that came up while working with SquirrelMail.
>I read an installation procedure that suggested moving several
>directories out of web space. Two of them make sense, but the third
>directory, houses configuration options in php files. If the web server
>is properly optioned to serve .php files (by executing php and serving
>the result), is there any reason to place this write protected directory
>outside of web space?

>There is no way for someone to see anything
>inside "<?php" and "?>" right?

True if PHP is correctly configured and working, but it can happen if:

(1) You lose the Apache directives that cause it to treat .php files
as PHP (say, during an upgrade of Apache).
(2) The PHP extension shared library gets deleted after a messy power
brownout crash and subsequent fsck, and Apache can't load PHP.
or
(3) Briefly during an upgrade of PHP.

You really ought to shut down Apache during upgrades of Apache or PHP
but sometimes admins forget.

"The files are secure if PHP is working" is less secure than "The
files are secure if PHP is working (inside PHP section) and the
files are secure if PHP is not working (outside document tree)".

Gordon L. Burditt

[Back to original message]