It's becoming clearer. But one question concerning:

"the path could be hacked, but if there is a requirement to login to that
folder (because of .htaccess directives)  then the hacker will still have to
come up with appropriate authentication."

Since all sensitive files on my site require login (username/password) and
each (https) page requires the appropriate $_SESSION variables before it'll
load, I wonder whether I can leave things as they are (everything in the
/html folder)? You mentioned that the "path could be hacked" -- if that's
case (even using .htaccess) would setting these sensitive files "below" the
root make much difference?

I think that it is better to situate these sensitive files outside of the
web root accessible with appropriate authentication and session ID. You can
leave everything as is, and be reasonably assured of security. Me
personally? I would take the extra step. That way you know that you have
done all that you could possibly do.

As I have said (and many others have said), "If you don't want anyone to get
a hold of the file, do not make it available from your web root."



* Texas PHP Developers Conf  Spring 2003                  *
* T Bar M Resort & Conference Center                      *
* New Braunfels, Texas                                    *
* San Antonio Area PHP Developers Group                   *
* Interested? Contact [EMAIL PROTECTED] *

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to