[nycphp-talk] Php off root

Chris Shiflett shiflett at
Mon Jan 26 15:38:46 EST 2009

Hi Michele,

> Anyway, I picked up Chris Shiftlett's book "Essential Handbook on Php
> Security".  Nestled in the 100 page book was don't keep php in  
> webroot.

I hope you enjoy the book. :-)

The recommendation you're referring to is probably to reduce risk  
wherever possible. For resources that don't need to be directly  
accessible via URL, there's no reason to keep them in document root.  
But, to be clear, the risk in this case is human error.

> It also, cleared up my concerns about keeping passwords in php.

I hope this isn't bad news, but if you're on a shared host, there's  
another concern here. Others can potentially access your files, even  
if they're not in document root. I think the book discusses this in  
Chapter 8. I have a free article that might also be helpful:

> Now, a lot of people attacked me for my ignorance, but I'm new to web
> development.

I remember the discussion, and I don't believe you were attacked. Just  
be a little more honest with your uncertainty when presenting  
information. In your case, you were presenting misinformation as if it  
were fact, and people understandably corrected that. I can understand  
how this can make you feel attacked, but hopefully you can step back  
and see the bigger picture now. :-)

> So, anyway for anyone that I caused concern for the solution for me  
> is keep
> code off webroot and in webroot just include those file.  Worries  
> over.  Bad
> sys admin or no.

Exactly. If you can architect a system in a way that makes human error  
less likely or less damaging, then doing so is a good idea. Everyone  
will agree with that.

> Frustrated, I went to Barnes and Noble.  When the gal typed in php and
> security she found Chris's book and another book that's supposed to be
> realeased this month.

Do you remember the new book? I'd like to read it.

> For a new programmer, Chris's book is chalked full of good info.   
> Straight
> to the code.  No fluff.

Nice to know. Thanks very much.


Chris Shiflett

More information about the talk mailing list