Quote:
Originally Posted by MaryTheG(r)eek
First of all, and please correct me if I'm wrong you're talking for editing htaccess file right? In this case, just keep in mind that not all users know how to use such files, and most important, not all server configurations can use htaccess (eg win/iis). At least so easy as *nix servers.
|
Well - doesn't matter if htaccess or not - IIS also supports restrictions. The problem is just that VB (and so PHP) need to read this file so it basically doesn't matter where it's put. By default the config file isn't remotely accessible anyways.
And remembering some VB bugs (like the FAQ one revealing the DB info) - then it doesn't matter where this file is because VB needs it to work at all.
Quote:
Originally Posted by MaryTheG(r)eek
Second, but this is just my opinion, I believe that anything outside the public area is "more" secure. Not that is totally secure, but it has a greater security level.
|
That depends. Writeable directories like the attachments should be stored outside the webroot, without any doubt.
For readable files like configurations, there's for the webserver absolutely no difference having them placed in the "includes" directory and set that via "Deny from all" to only allow local access or moving them somewhere into a directory that has the same restrictions (like /etc).
It's maybe a bit more userfriendly to setup the "includes" directory to disallow access because you don't need to edit VB core files.
And - for the worst case - if it happens that VB has some kind of LFI or info revealing bug - then it doesn't matter where this file is.
07-12-2011, 07:47 PM
Linear Mode
