Yes, but it would be helpful if you'd tell us what local URL-path the file is accessible from...

Jim

mysite.com/php.ini

Using mod_access [httpd.apache.org] in .htaccess:

<Files php.ini>
Deny from all
</Files>

Jim

Shouldn't PHP be installed in a folder above the web root?

Shouldn't PHP be installed in a folder above the web root?

you'd think! the host i have doesn't have root access. the first folder you get into, is the public folder.

Using mod_access in .htaccess:

<Files php.ini>
Deny from all
</Files>

Jim

this did not work. i can still load it in my browser. strange... i have a similar code in my /includes folder, that works properly:
<Files *.php>
Order Deny,Allow
Deny from all
</Files>

I'm mystified... Your server or PHP installation is misconfigured somehow, but having thought about it for awhile, I can't discern how.

But as g1smd points out above, the real question is, "Why is my php config file located in an HTTP-accessible directory to begin with?"

Jim

I'm mystified... Your server or PHP installation is misconfigured somehow, but having thought about it for awhile, I can't discern how.

well, last time i posted my hosts name it was edited, but you'd think godaddy would know how to configure their servers properly. (guess not!)

But as g1smd points out above, the real question is, "Why is my php config file located in an HTTP-accessible directory to begin with?"

i can't fathom this myself. but on their dedicated / semi dedicated accounts they make a point to note you have root access

perhaps a way to dupe people into blowing more money on hosting, for packages they don't really need.

is there something i can put into my php.ini to overwrite the server-settings? at present, this is all i have in it:

register_globals = On

I think PHP itself always is installed above the web root, but php.ini is put in the root.

I've heard that register_globals should be Off unless you have a good reason to have them On.

Also try this

<Files php.ini>
order allow,deny
deny from all
</Files>

That's about the last combination that hasn't been tried/suggested! It goes into the root .htaccess, where php.ini is. After you've made this change, maybe clear your browser cache before you try to browse to it, to make sure you're not getting the cached copy.

[edited by: SteveWh at 6:37 am (utc) on Aug. 9, 2006]

nope, that didn't work either :(

I've heard that register_globals should be Off unless you have a good reason to have them On.

the scripts i'm using require them and i haven't been able to patch it so they don't need register_globals

what i can't understand is.. why does this work to disable direct viewing of .php files, but not .ini?

I'm beginning to wonder if php.ini has been Aliased at the Apache level or symlinked at the OS level, so that it only appears to be in the directory path of your code...

Jim

Try going through your .htaccess to see if there are any other "deny,allow" directive sections that might override the one you're trying to create. Here is an entry page to how these work:
[httpd.apache.org...] At the bottom of that page is a link about how the various directive sections work. While trying to research this a week or two ago, I also concluded that apparently when there is a conflict (two or more directives apply to the same file, with conflicting rules), then the final conflict resolution strategy is that the rule appearing latest in .htaccess takes precedence over earlier one(s); but I can't offer a good source for that inference I made; it was just the best conclusion I could reach after a frustrating web search.

Also, if your host is using suPHP, you may need a suPHP_ConfigPath line in your .htaccess. I have one, but it's just one that was provided by my host, so I can't give any assistance on what it means or how to set it up. Maybe this is needed even if suPHP isn't the one being used? Don't know.

[edited by: SteveWh at 7:52 pm (utc) on Aug. 9, 2006]