Jump to content
Larry Ullman's Book Forums

Recommended Posts

Hi

 

A somewhat philosophical question here regarding web security.

 

On pages 229 and 489 you show a schematic whereby the php scripts are in a subdirectory of the webpage.

 

Wouldn't it be more secure to put the 'includes' directory in the same place as 'mysql.connect.php' and call it with ../includes/script.php?

 

This would make it a little harder for malicious people to access programs from their browser.

 

...just a thought....

Link to comment
Share on other sites

The includes directory on a server has folder permissions set to that only someone with server access can access that folder and cannot be read by the public, so long as your server is secure would not matter. Best to get on your own dedicated server, being on a shared server with many 50 other websites on you share the same risk with them. So possibly if someone was to hack one web site on the server with less security than your own, they could also get access to your web site, its quite common.

Link to comment
Share on other sites

It's a fair point, Max. Yes, you could put the includes directory outside of the Web root. That would be more secure. You could also, as Edward suggests, change the permissions on the directory so that it's not available directly. Mostly I would say that "more secure" does not mean "better", though, and in this particular case, many readers have issues when I move things outside of the Web root directory, so using an includes folder within the Web directory is more foolproof.

 

But by all means make that change in your own sites if you prefer.

Link to comment
Share on other sites

Thanks

 

One thing I found recently is that I had left phpinfo.php on the website which, if anyone wished, would have been accessible. In truth, I don't think anyone would be interested in my websites as none of them hold client details of any import. I have removed it now though!

Link to comment
Share on other sites

 Share

×
×
  • Create New...