Re: security question: includes outside doc root

J.O. Aho

Pugi! wrote:
> I read that from a security point of view includes (containing php
> code) should be located outside document root.
> On an LAMP server, where do you place those includes ?
> My document root is /var/www/html (/var/www/html/site1, /var/www/html/
> site2, ...). Is for example /var/www/phpincludes/ good enough for
> security reasons ?

Your document root(s) you find in your apache settings, easy way to check
those is just do a grep for DocumnetRoot on those configuration files you have
for you sites.

Your document root seem to be /var/www/html/site1 for site1, so for that one
you can place files in /var/www/html/ and you will be outside the sites root
directory.
Your document root seem to be /var/www/html/site2 for site2, so for that one
you can place files in /var/www/html/ and you will be outside the sites root
directory.
If you have a default server running which has /var/www/html as document root,
then change that as fast as possible, as this can lead to security overrides,
create a new document root for it, example /var/www/html/default and move all
files there that hasn't anything to do with your other sites.

The answer to your question is that /var/www/phpincludes/ is outside your
document roots.


--

//Aho