Go Back   CodingForums.com > :: Server side development > Apache configuration
Reload this Page htaccess - protecting files outside public_html

Before you post, read our: Rules & Posting Guidelines

Reply
 
Thread Tools Rate Thread
Enjoy an ad free experience by logging in. Not a member yet? Register.
Old 03-30-2010, 01:14 PM   PM User | #1
cfructose
Regular Coder

 
Join Date: Feb 2007
Location: London
Posts: 225
Thanks: 16
Thanked 2 Times in 2 Posts
cfructose is an unknown quantity at this point
htaccess - protecting files outside public_html
I'm trying to take extra measures to protect my MySQL password.

As it stands, the password is stored in a php variable outside public_html, in a folder with a .ini.php extesion:

Code:
/home/user/private_html/database.ini.php
Given its location on the server, am I right in saying the following addition to my .htaccess would be redundant, or could it still help?

Code:
<Files *.ini>
  Order deny,allow
  Deny from all
</Files>
More generally, is there anything more I could do to help keep this password secure, given that MySQL won't accept a hashed password?

Thanks
Last edited by cfructose; 03-30-2010 at 01:15 PM.. Reason: formatting
cfructose is offline   Reply With Quote
Old 03-30-2010, 08:47 PM   PM User | #2
xconspirisist
Regular Coder

 
xconspirisist's Avatar
 
Join Date: Jun 2006
Location: Great Britain.
Posts: 137
Thanks: 1
Thanked 6 Times in 6 Posts
xconspirisist has a little shameless behaviour in the past
It is always good to store configuration files in a private directory like you have done, good work. Renaming it to .ini.php should avoid it being served up by the webserver, but nobody can access in the first place, so hey-ho.

I say keep that directive in your .htaccess or even your main vhost config if possible - I can't imagine any situations where you would actually want to serve a .ini like a normal file.
__________________
If I have been helpful, use the "thank" button - It makes me happy!

xconspirisist.co.uk - homepage of my online alias
technowax.net - a community for people interested in all forms of modern technology.
xconspirisist is offline   Reply With Quote
Old 03-30-2010, 09:11 PM   PM User | #3
cfructose
Regular Coder

 
Join Date: Feb 2007
Location: London
Posts: 225
Thanks: 16
Thanked 2 Times in 2 Posts
cfructose is an unknown quantity at this point
Thanks. Useful comments.

Just one point to clarify:

Does the htaccess "deny from all" that I'm using mean that any files ending in ".ini" that are entered manually into a URL will be denied? Have I understood that correctly?

If so, then isn't it the case that my config file isn't accessible via a URL anyway (given that it's not in public_html), so even without the htaccess directive, nothing could be entered into the URL that could result in its been parsed in the first place?
cfructose is offline   Reply With Quote
Old 03-30-2010, 09:16 PM   PM User | #4
xconspirisist
Regular Coder

 
xconspirisist's Avatar
 
Join Date: Jun 2006
Location: Great Britain.
Posts: 137
Thanks: 1
Thanked 6 Times in 6 Posts
xconspirisist has a little shameless behaviour in the past
The directive "deny from all" in that configuration means that any .ini file that someone requests, will result in the in the webserver sending a HTTP 403 and not the file. This stops anyone should they type the URL or click a link.

I mention in my previous post, might as well leave the directive (even though it is technically not doing anything - your file is in a private directory and cannot be accessed) because it will stop anyone getting the file should you accidently put .ini files in a public directory in the future.
__________________
If I have been helpful, use the "thank" button - It makes me happy!

xconspirisist.co.uk - homepage of my online alias
technowax.net - a community for people interested in all forms of modern technology.
xconspirisist is offline   Reply With Quote
Old 03-30-2010, 11:37 PM   PM User | #5
cfructose
Regular Coder

 
Join Date: Feb 2007
Location: London
Posts: 225
Thanks: 16
Thanked 2 Times in 2 Posts
cfructose is an unknown quantity at this point
Got it.

All very clear now.

Cheers.
cfructose is offline   Reply With Quote
Reply

Bookmarks

Jump To Top of Thread


« Previous Thread | Next Thread »
Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT +1. The time now is 07:33 AM.
Advertisement
Log in to turn off these ads.