Where to put my PHP files
I finished developing a PHP project. It was developed locally on my PC. Now I'm ready to upload it to my web server and make it public.
There is one thing that worries me: currently all PHP files are in my WWW folder with all HTML, JavaScript, CSS and image files. PHP files are sensitive because they access the MySQL database and often contain passwords and file paths that must be kept secret to users.
If I leave the PHP files in the WWW directory, I'm afraid they might be made available to the public in the same way as other files and images. I am afraid that experienced users might download and read them, and therefore reveal secret information about my web server.
Are my worries legitimate? Is the web server hiding .php files automatically? Should I move PHP files to a different location, away from the WWW folder? Is there any other way to protect my PHP files from uploading?
I use:
- Apache 2.4.7
- PHP 5.5.8
- MySQL 5.6.15
source to share
It's pretty safe. If you have PHP installed, your web server will always try to run the PHP file instead of displaying its code, and even if the code fails, you will receive an error message or a blank page, not the code.
Alternatively, you can use .htaccess
other kinds of server configuration to disable viewing of these files.
But .. It should be said that if any of these settings are not configured correctly, the web server can actually serve as PHP files as text files!
So, I think it's a good idea to move all php files out of the www folder if they shouldn't be directly accessible. Quite often you will find only one index.php that handles all requests and includes other php files. PHP files that are not in www (document root) can still be included, so it's a good security measure to put these files in a separate folder. This way you reduce the risk of exposing these files when you make a small minor configuration error.
In the end, even when it worked, it's very easy to break it. Maybe you need to tweak your configuration a bit, or you are on a shared host where the hosting provider can make changes without your knowledge, so this is just a smart thing to do.
So. It is recommended to move files from the www folder. This is usually very easy to do (although it depends on your application structure), so this is just an extra security measure that usually won't cost you a dime. And if you find it difficult (due to your current application structure) to completely move all files from the document root, make sure that at least the configuration files with passwords are outside the www folder, and then the database access files, which can reveal any problems security you can have in your implementation.
source to share
Don't worry ; the files are PHP
interpreted by the web server and the code is not directly accessible from the web browser. In the httpd.conf
apache file you can check that the extension is PHP
"protected".
AddType application/x-httpd-php .php
If you are interested in improving the security of your application a little, you can change the extension of your PHP files and your web server configuration (line above). It's called Security through obscurity
.
source to share