Max Posted May 7, 2012 Share Posted May 7, 2012 Hi A somewhat philosophical question here regarding web security. On pages 229 and 489 you show a schematic whereby the php scripts are in a subdirectory of the webpage. Wouldn't it be more secure to put the 'includes' directory in the same place as 'mysql.connect.php' and call it with ../includes/script.php? This would make it a little harder for malicious people to access programs from their browser. ...just a thought.... Link to comment Share on other sites More sharing options...
HartleySan Posted May 7, 2012 Share Posted May 7, 2012 Well, the includes folder usually just contains HTML, which anyone can view anyway. Any PHP code in the files will not be viewable, so I don't think it matters. Link to comment Share on other sites More sharing options...
Edward Posted May 7, 2012 Share Posted May 7, 2012 The includes directory on a server has folder permissions set to that only someone with server access can access that folder and cannot be read by the public, so long as your server is secure would not matter. Best to get on your own dedicated server, being on a shared server with many 50 other websites on you share the same risk with them. So possibly if someone was to hack one web site on the server with less security than your own, they could also get access to your web site, its quite common. Link to comment Share on other sites More sharing options...
Larry Posted May 7, 2012 Share Posted May 7, 2012 It's a fair point, Max. Yes, you could put the includes directory outside of the Web root. That would be more secure. You could also, as Edward suggests, change the permissions on the directory so that it's not available directly. Mostly I would say that "more secure" does not mean "better", though, and in this particular case, many readers have issues when I move things outside of the Web root directory, so using an includes folder within the Web directory is more foolproof. But by all means make that change in your own sites if you prefer. Link to comment Share on other sites More sharing options...
Max Posted May 9, 2012 Author Share Posted May 9, 2012 Thanks One thing I found recently is that I had left phpinfo.php on the website which, if anyone wished, would have been accessible. In truth, I don't think anyone would be interested in my websites as none of them hold client details of any import. I have removed it now though! Link to comment Share on other sites More sharing options...
Larry Posted May 9, 2012 Share Posted May 9, 2012 Yeah, you shouldn't leave those up on a live server, but it's a common enough mistake. Link to comment Share on other sites More sharing options...
Recommended Posts