Is require_once "../../file/config.php" the most secure way to hide my config file in modern standards (2013)?

Question

There is a LOT of information out there and I am trying to factor in all of this into a single page web app in php. Not trying to get into a debate, simply looking for a standard in modern sites, or if differences of opinion, just some risks this and other options entail.

Also I have my database connection in a connect.php file, in domain root and thinking of moving back a level as well.

<?php require_once "../../folder/config.php";
session_start();
ob_start();
$access = 'my_value'; 
// ...
if($connectDatabase == TRUE) {
  $action=TRUE;
  include('connect.php');
}

Answer 1

Move the config file outside the public folder so it cannot be accessed via URL. Or, use a .htaccess files to protect the containing folder with

deny from all

or

<Files config.php>
    Order Deny
    Deny From All
</Files>

Answer 2

So long as all *.php files are served through the PHP interpreter then their contents [between <?php and ?>] are as secure as your application is. The old style of naming includes like dbinfo.inc caused problems because *.inc file were simply served as text if you knew the extension. I prefer inc.dbinfo.php, class.mysql_db.php, view.news.php, etc for logical grouping in directory listings, but to each their own so long as they end in .php.

Once someone is able to perform code injection, or place/retrieve raw files onto/from your server it doesn't matter how many levels above the web root your database info is stored.

Answer 3

It should be secure but I would advise to disallow indexing on your site. This will not allow people to go to that directory to see the php file, and if they try to go to the connect.php they will not see anything

http://www.ducea.com/2006/06/26/apache-tips-tricks-disable-directory-indexes/