CODEWITHSUNDEEP
php.htaccesssecurityini
justin
justin

Reputation: 25

Can I put a .user.ini file outside the document root in PHP?

I have a PHP web application which I created, organized in folders such as src, vendor and web, where 'web' is set as the document root on my server. The reason for this is to prevent access to any other files which are not in 'web'.

I am using a .user.ini file to simply modify some global settings, but when I placed it one level up of the document root (parent of web) the configurations set where not triggered at all. When I placed it inside 'web' everything worked fine.

What is the reason for this? Is there any way I can make .user.ini work as I proposed?

Security wise I would just prefer to do it this way instead of denying access with .htaccess inside web.

I am using Fast CGI as my PHP handler and do not want to change that.

Upvotes: 2

Views: 1657

Answers (2)

Beta
Beta

Reputation: 11

I do this for my database username, password and database name. I include the ini file like this:

$parsed_ini_variables_array = parse_ini_file('/home/username/ini_folder/file_name.ini');

Then, inside of the ini file :

;Comment
[section name]
key=value
key2=value2

I hope this helps.

Upvotes: 0

Jonathan
Jonathan

Reputation: 5864

Short answer, seems you cannot put the files outside of the specified directories.

According to http://php.net/manual/en/configuration.file.per-user.php,

In addition to the main php.ini file, PHP scans for INI files in each directory, starting with the directory of the requested PHP file, and working its way up to the current document root (as set in $_SERVER['DOCUMENT_ROOT']). In case the PHP file is outside the document root, only its directory is scanned.

Dot Files shouldn't be served by web server

However, your web server shouldn't serve /^./ files at all. If you web server is blocking access to files that begin with a dot, then you're not at risk of disclosing that file.

Set configuration in the code

Another option is to set the ini settings in your source code rather than in the .user.ini file.

http://php.net/manual/en/ini.list.php gives a list of all ini settings you can set through ini_set(). Specifically the options marked ** PHP_INI_USER**.

Upvotes: 2

Related Questions