[nycphp-talk] Htaccess and php user account

David Krings ramons at
Tue Dec 2 07:07:21 EST 2008

Tim Lieberman wrote:
> 2) Keep anything sensitive out of the web root.
> So, very simplified, you've got something like this:
> /some/dir/webroot -- webroot
> /some/dir/secure -- not accessible by apache
> /some/dir/lib/db.php - php script that contains any sensitive database 
> connection information (note: your database shouldn't be accepting 
> connections from just anyone, either.  That's why there's a "host" field 
> in mysql.user.

Thanks for the interesting post. I was initially confused by one thing:
> /some/dir/lib/db.php - php script that contains any sensitive database 

I was always under the impression as that Apache/PHP cannot access scripts 
outside of webroot, which after some further thought appears to be only 
applicable to script files that are directly accessed (such as the page.php 
script in the original post). The script file with the db access information 
is not to be served up under any circumstances and it is also not necessary as 
Apache/PHP can access the local file system and read/write from/to any place 
the access restrictions allow.
This way the sensitive information is off-limits via the web and technically 
all that is needed in webroot is a single script file that only calls at least 
one other script that is located somewhere else outside of webroot. Sometimes 
the most difficult things are really darn easy.


More information about the talk mailing list