Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Regular Coder
    Join Date
    Feb 2007
    Location
    London
    Posts
    225
    Thanks
    16
    Thanked 2 Times in 2 Posts

    htaccess - protecting files outside public_html

    I'm trying to take extra measures to protect my MySQL password.

    As it stands, the password is stored in a php variable outside public_html, in a folder with a .ini.php extesion:

    Code:
    /home/user/private_html/database.ini.php
    Given its location on the server, am I right in saying the following addition to my .htaccess would be redundant, or could it still help?

    Code:
    <Files *.ini>
      Order deny,allow
      Deny from all
    </Files>
    More generally, is there anything more I could do to help keep this password secure, given that MySQL won't accept a hashed password?

    Thanks
    Last edited by cfructose; 03-30-2010 at 01:15 PM. Reason: formatting

  • #2
    Regular Coder xconspirisist's Avatar
    Join Date
    Jun 2006
    Location
    Great Britain.
    Posts
    138
    Thanks
    1
    Thanked 6 Times in 6 Posts
    It is always good to store configuration files in a private directory like you have done, good work. Renaming it to .ini.php should avoid it being served up by the webserver, but nobody can access in the first place, so hey-ho.

    I say keep that directive in your .htaccess or even your main vhost config if possible - I can't imagine any situations where you would actually want to serve a .ini like a normal file.
    If I have been helpful, use the "thank" button - It makes me happy!

    xconspirisist.co.uk - homepage of my online alias
    technowax.net - a community for people interested in all forms of modern technology.

  • #3
    Regular Coder
    Join Date
    Feb 2007
    Location
    London
    Posts
    225
    Thanks
    16
    Thanked 2 Times in 2 Posts
    Thanks. Useful comments.

    Just one point to clarify:

    Does the htaccess "deny from all" that I'm using mean that any files ending in ".ini" that are entered manually into a URL will be denied? Have I understood that correctly?

    If so, then isn't it the case that my config file isn't accessible via a URL anyway (given that it's not in public_html), so even without the htaccess directive, nothing could be entered into the URL that could result in its been parsed in the first place?

  • #4
    Regular Coder xconspirisist's Avatar
    Join Date
    Jun 2006
    Location
    Great Britain.
    Posts
    138
    Thanks
    1
    Thanked 6 Times in 6 Posts
    The directive "deny from all" in that configuration means that any .ini file that someone requests, will result in the in the webserver sending a HTTP 403 and not the file. This stops anyone should they type the URL or click a link.

    I mention in my previous post, might as well leave the directive (even though it is technically not doing anything - your file is in a private directory and cannot be accessed) because it will stop anyone getting the file should you accidently put .ini files in a public directory in the future.
    If I have been helpful, use the "thank" button - It makes me happy!

    xconspirisist.co.uk - homepage of my online alias
    technowax.net - a community for people interested in all forms of modern technology.

  • #5
    Regular Coder
    Join Date
    Feb 2007
    Location
    London
    Posts
    225
    Thanks
    16
    Thanked 2 Times in 2 Posts
    Got it.

    All very clear now.

    Cheers.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •