[nycphp-talk] Php off root
shiflett at php.net
Mon Jan 26 15:38:46 EST 2009
> Anyway, I picked up Chris Shiftlett's book "Essential Handbook on Php
> Security". Nestled in the 100 page book was don't keep php in
I hope you enjoy the book. :-)
The recommendation you're referring to is probably to reduce risk
wherever possible. For resources that don't need to be directly
accessible via URL, there's no reason to keep them in document root.
But, to be clear, the risk in this case is human error.
> It also, cleared up my concerns about keeping passwords in php.
I hope this isn't bad news, but if you're on a shared host, there's
another concern here. Others can potentially access your files, even
if they're not in document root. I think the book discusses this in
Chapter 8. I have a free article that might also be helpful:
> Now, a lot of people attacked me for my ignorance, but I'm new to web
I remember the discussion, and I don't believe you were attacked. Just
be a little more honest with your uncertainty when presenting
information. In your case, you were presenting misinformation as if it
were fact, and people understandably corrected that. I can understand
how this can make you feel attacked, but hopefully you can step back
and see the bigger picture now. :-)
> So, anyway for anyone that I caused concern for the solution for me
> is keep
> code off webroot and in webroot just include those file. Worries
> over. Bad
> sys admin or no.
Exactly. If you can architect a system in a way that makes human error
less likely or less damaging, then doing so is a good idea. Everyone
will agree with that.
> Frustrated, I went to Barnes and Noble. When the gal typed in php and
> security she found Chris's book and another book that's supposed to be
> realeased this month.
Do you remember the new book? I'd like to read it.
> For a new programmer, Chris's book is chalked full of good info.
> to the code. No fluff.
Nice to know. Thanks very much.
More information about the talk