Can't Place Files Outside Public_HTML folder!

Forum Moderators: phranque

Message Too Old, No Replies

Can't Place Files Outside Public_HTML folder!

FTFlash

8:03 am on Nov 24, 2005 (gmt 0)

Hello.

I have hosted my site with GoDaddy.com for about 6 months, and have never complained about the inability to place files outside the public_html folder ...until now.

I am redesigning my current site to use PHP and MySQL, and I'd like to place the MySQL Connection script (that contains my username and password) outside of the the public_html folder so that it can not be viewed in a browser. However, when you FTP connect to a site hosted by GoDaddy, you can only see your public folders! I called their support and they said that this was "for security".

I don't know how else to secure my MySQL login info. Any suggestions would be appreciated! Thanks!

coopster

4:14 pm on Nov 24, 2005 (gmt 0)

Well, you could FTP your files over to an unpublished, protected directory and then move them from a command line interface, no?

bunltd

4:25 pm on Nov 24, 2005 (gmt 0)

If you can't move it, you could tell your script to die and redirect to your homepage if that file is directly accessed. That way it won't serve up the contents.

LisaB

FTFlash

9:13 am on Nov 25, 2005 (gmt 0)

I don't have access to a command line interface unfortunately. I like to idea of making the script die if it is directly accessed, however, I am still considering switching web hosts.

FalseDawn

5:02 pm on Nov 25, 2005 (gmt 0)

Move hosts ASAP.
Denying access to non-public folders under your "home" directory has nothing to do with "security" and everything to do with the fact that they are incapable of configuring servers correctly.

FTFlash

8:19 pm on Nov 25, 2005 (gmt 0)

That's what I was thinking. But, they ARE one of the largest hotsing companies out there (if I'm not mistaken), and I would have expected a better service.

Well, time to search for a new host...

enoj

10:02 am on Nov 27, 2005 (gmt 0)

As long as your script containing the mysql credentials has a .php extension and the webserver executes .php files through PHP your credentials will never be displayed. Unless of course the php file for some reason outputs the credentials.

You could also put all your configuration files in a folder named "config" or whatever and place a .htaccess file in it with the contents "deny from all". The webserver will then refuse any attempts to request a file in the folder (Apache only).

However, not offering a folder for files you don't want available via HTTP at all is quite unacceptable.

FTFlash

8:44 pm on Nov 27, 2005 (gmt 0)

Yah, I know that as long a file has the .php extension the contents will be parsed, but the PHP and MySQL book I'm reading says that "you can never be too safe".

What does this mean? Is there some way that someone can read the PHP source of my .php files?

I still would like to be safe, and I am planning on switching web hosts.

enoj

8:46 am on Nov 28, 2005 (gmt 0)

What does this mean? Is there some way that someone can read the PHP source of my .php files?

If something happens to your webserver (for example during an upgrade) and it for some reason stops running .php scripts through PHP your configuration script would be displayed in plain text when executed in a browser.

Such issues are very rare, but it _can_ happen. If you on the other hand has a folder for files outside your webroot and place your configuration files in it, there is no way whatsoever that the files will be reachable through a browser.

The big issue is when a coder decides to use some fancy file extension instead of .php. For example names all the files in the "include" folder .inc and all the files in the "library" folder .lib. Now that's just plan and simple stupid. As the webserver (usually) isn't setup to execute .lib nor .inc files through PHP, the files contents' will be displayed in plain text when requested in a browser.