0

I don't know if users can do bad things if they can access my php.ini file but I would like to disable access to this extension.

I tried this : 

<Files ~ "\.(ini)$">
order allow,deny
deny from all
</Files>

But it doesn't seem to work...

What can I do ?

Thank you very much for your help. Cordially.

cyclone200
  • 367
  • 7
  • 22
  • 1
    With read access, they cannot. With write access....they've already gained access to your server. I would `chmod` the file appropriately. – ʰᵈˑ Oct 03 '14 at 15:31
  • @ʰᵈˑ thank you for your answer! Well, the file chmod is currently 604. Is that enough to protect it ? – cyclone200 Oct 03 '14 at 15:34
  • Protect it against ***what***? – ʰᵈˑ Oct 03 '14 at 15:34
  • 1
    Do you really mean php.ini (as in the ini file for PHP)? If so what on earth is it doing inside your document root ... and if it's outside your document root, what are you expecting to do with .htacces? – CD001 Oct 03 '14 at 15:37
  • Well, I don't know. If users can access my php.ini, is it bad ? And I use my php.ini file in all files to enable gzip compression. The only things in my php.ini are : zlib.output_compression = true zlib.output_compression_level = 9 – cyclone200 Oct 03 '14 at 15:41
  • @cyclone200 The only things that should be in your document root are the things you want your users to access directly. System configuration (like PHP.ini) shouldn't be there. Most of your PHP application shouldn't be in there either. – Brad Oct 03 '14 at 15:43
  • @Brad Thanks for your answer but this is the only way to active the gzip compression... – cyclone200 Oct 03 '14 at 15:47
  • @cyclone200 No, you can add it to your main `php.ini` file located at `/etc/php.ini` (in CentOS) – ʰᵈˑ Oct 03 '14 at 15:53
  • Or you could just use the relevant PHP flag in the .htaccess (assume overwrite is enabled for .htaccess) : there's an SO answer which covers it here : http://stackoverflow.com/questions/16819431/using-php-ini-htaccess-and-zlib-output-to-compress-js-css-and-php-files – CD001 Oct 03 '14 at 15:54
  • @cyclone200 That isn't true. And, you could always utilize your web server for GZIP which is often a better option anyway. – Brad Oct 03 '14 at 16:08
  • @Brad Ok, I see. Thank you for your answers. I'll contact my web hosting service (1&1) tomorrow to know how I could access /etc/ or active gzip for all my sites. If they don't have a solution, I'll use CentOS, as recommended by Brad. Thanks again. – cyclone200 Oct 04 '14 at 22:22
  • @cyclone200 I didn't recommend CentOS, and neither did HD actually. HD was suggesting the default location for PHP.ini if you are using CentOS. – Brad Oct 04 '14 at 22:25
  • @Brad Thank you for your answer Brad. Well, I just have 1&1 on the phone and the only solution is to have the php.ini in each folder I which I want to enable the gzip compression... Maybe I should redirect the php.ini page to a 404 page ? Thank you again. – cyclone200 Oct 07 '14 at 11:16
  • @cyclone200 If it were me, I'd find a new web host. Also, I wouldn't redirect requests for php.ini to a 404... actually return a 404 when php.ini is requested. – Brad Oct 07 '14 at 12:39
  • @Brad Well I see... I can't change and find a new web host right now... So what if I put a CHMOD 604 to the php.ini ? Because is that really really if an user could read my php.ini (which contains only 2 lines...) Thank you again! – cyclone200 Oct 07 '14 at 18:56

0 Answers0