[snip] It's becoming clearer. But one question concerning: "the path could be hacked, but if there is a requirement to login to that folder (because of .htaccess directives) then the hacker will still have to come up with appropriate authentication."
Since all sensitive files on my site require login (username/password) and each (https) page requires the appropriate $_SESSION variables before it'll load, I wonder whether I can leave things as they are (everything in the /html folder)? You mentioned that the "path could be hacked" -- if that's the case (even using .htaccess) would setting these sensitive files "below" the root make much difference? [/snip] I think that it is better to situate these sensitive files outside of the web root accessible with appropriate authentication and session ID. You can leave everything as is, and be reasonably assured of security. Me personally? I would take the extra step. That way you know that you have done all that you could possibly do. As I have said (and many others have said), "If you don't want anyone to get a hold of the file, do not make it available from your web root." HTH! Jay *********************************************************** * Texas PHP Developers Conf Spring 2003 * * T Bar M Resort & Conference Center * * New Braunfels, Texas * * San Antonio Area PHP Developers Group * * Interested? Contact [EMAIL PROTECTED] * *********************************************************** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php