Reputation: 4758
Secure file hierarchy in PHP
I have finished my PHP project development. It was developed locally on my PC. Now I am ready to upload it on my web server and make it publicly accessible.
However, one thing bothers me: Currently, all the PHP files are in my WWW folder with all the HTML, JavaScript, CSS, and image files. PHP files are sensitive, as they access MySQL Database and often contains password and file paths that are meant to remain secret from the users.
If I leave the PHP files within the WWW directory, am I afraid they can become accessible to the public, similar to the other files and images? I am so scared that skilled users can download and read them and reveal secret information about my web server.
Are my worries legit? Does the web server automatically hide .php files? Should I move the PHP files to another location, away from the WWW folder? Is there any other way to protect my PHP files from being downloaded?
I am using:
- Apache 2.4.7
- PHP 5.5.8
- MySQL 5.6.15
Upvotes: 3
Views: 30851
Answers (2)
Reputation: 7862
Don't worry, php files are interpreted by the web server, and the code is not accessible directly from the web browser. In the file httpd.conf of apache, you can check that the extension php is "protected".
AddType application/x-httpd-php .php
If you are interested in giving a little plus of security to your application, you can change the extension of your PHP files and your web server config (the line above). It is called `Security through obscurity.
Upvotes: 5
Reputation: 116110
It's pretty safe. If you have PHP installed, your web server will always try to run the PHP file rather than showing its code, and even if the code fails, you will get an error message or a blank page rather than the code.
Apart from that, you can use .htaccess or other server configuration to disable viewing of those files.
But... It must be said that if any of these settings are configured incorrectly, the web server may serve the PHP files as plain text files!
So I think moving all PHP files out of the www folder is a good idea if they should not be accessed directly. You'll often find only one index.php that handles all requests and includes other PHP files. PHP files not in www (the document root) can still be included, so it's a good safety measure to put them in a separate folder. That way, you reduce the risk of exposing those files when you make a tiny configuration error.
After all, even when it worked before, it's very easy to break it. Maybe you want to tweak your configuration or are on a shared host where the hosting provider might make changes without you knowing, so it's just a wise thing to do.
So... It is a good idea to move files out of the www folder. It's usually straightforward to do this (although it depends on your application structure), so it's just an extra safety measure that won't cost you a dime. And if it's hard (due to your current application structure) to completely move all files out of the document root, make sure that at least configuration files with passwords are outside of the www folder, followed by database access files that might expose any security issues you might have in your implementation.
Upvotes: 8
Related Questions
- Password protected directory and files in PHP
- File and folder access management and security (PHP/Apache)
- Secure folder structure for php site
- File System and security (PHP)
- Ensuring security of files in folder on public_html
- PHP security - Website Directory Structure
- Folders protection in PHP
- make folder secure in php
- PHP file security on webserver
- Folder security?