5

Languages such as Perl, Pythong, etc are usually considered to have a better security comparing with PHP. Apart from possible security holes, one reason can be (I do not know, I am asking) that we do not put the executable files of Perl and Python within public folder. Since PHP files are not executable, it is safe to keep them within public folder.

Is it a wise and practical approach to keep php files outside the public folder to restrict possible access by attackers? If yes, is it common? because I do not see any disadvantage (except a little bit harder handling of file spread in different places); but if it is beneficial for improve security, it is worth of consideration. Since I do not know about the ways hackers attach a php-based website, I have no idea how it can improve security.

Googlebot
  • 15,159
  • 44
  • 133
  • 229
  • Related questions: [Help securing files access with htaccess and php?](http://stackoverflow.com/questions/2573496/help-securing-files-access-with-htaccess-and-php), [PHP file security on webserver](http://stackoverflow.com/questions/6524565/php-file-security-on-webserver), [Securing PHP files](http://stackoverflow.com/questions/1401727/securing-php-files) and [the many related](http://stackoverflow.com/search?q=[php]+files+webroot+security). – hakre Oct 15 '11 at 16:00
  • Thanks hakre, I also search for the topic; there are related questions, but not focusing on the idea. – Googlebot Oct 15 '11 at 16:11

1 Answers1

9

Is it a wise and practical approach to keep php files outside the public folder to restrict possible access by attackers?

Yes.

If yes, is it common?

Yes.

but if it is beneficial for improve security,

Your PHP app will typically consist of many individual files. Usually, these will get included from other files. For example, you might have:

index.php
lib/db.php
lib/auth.php

In this example, since all the files are in the document root, an external user could hit the url http://domain.com/lib/auth.php and run that include file directly, independent of the auth system that's supposed to be sourcing it. Will it do anything bad when run by itself? Probably not. But to be safe, you should move the include files outside document root, thus making it impossible for the web server to serve them directly.

(Note that this vulnerability is not exclusive to PHP, and thus keeping your libs outside document root is a good practice, regardless of platform.)

Alex Howansky
  • 50,515
  • 8
  • 78
  • 98