Where to put my PHP files

php apache web webserver
28,857

Solution 1

It's pretty safe. If you have PHP installed, your webserver will always try to run the PHP file rather than showing its code, and even if the code fails, you will get an error message or a blank page rather than the code.

Apart from that, you can use .htaccess or other kinds of server configuration to disable viewing of those files.

But.. It must be said though, that if any of these settings are not configured correctly, the webserver may indeed serve the PHP files as plain text files!

So I think it is a good idea to move all php files out of the www folder if they should not be accessed directly. Quite often you'll find only one index.php which handles all requests and includes other php files. PHP files that are not in www (the document root), can still be included, so it's a good safety measure to put these files in a separate folder. That way, you reduce the risk of exposing those files when you make a tiny little configuration error.

After all, even when it worked before, it's very easy to break it. Maybe you want to tweak your configuration a little, or you are on a shared host where the hosting provider might make changes without you knowing, so it's just a wise thing to do.

So.. It is a good idea to move files out of the www folder. It's usually very easy to do this (although it depends on your application structure), so it's just an extra safety measure that usually won't cost you a dime. And if it's hard (due to your current application structure) to completely move all files out of the document root, make sure that at least configuration files with passwords are outside of the www folder, followed by database access files that might expose any security issues you might have in your implementation.

Solution 2

Don't worry; files PHP are interpreted by the web server and the code is not accessible directly from a web browser. In the file httpd.conf of apache you can check that the extension php is "protected".

AddType application/x-httpd-php .php

If you are interested in give a little plus of security to your application, you can change the extension of your PHP files, and your webserver config (the line above). It is called Security through obscurity.

Share:
28,857
Bunkai.Satori
Author by

Bunkai.Satori

Updated on January 29, 2020

Comments

  • Bunkai.Satori
    Bunkai.Satori over 4 years

    I have finished my PHP project development. It was developed locally on my PC. Now I am ready to upload it on my web server and make it publicly accessible.

    There is however one thing that bothers me: Currently, all the PHP files are in my WWW folder with all the HTML, JavaScript, CSS, and Images files. PHP files are sensitive, as they access MySQL Database and often contains password and file paths that are meant to remain secret from the users.

    If I leave the PHP files within the WWW directory, am I afraid, they can become accessible to public in the same way, as the other files and images are. I am afraid that skilled users can download and read them, and therefore reveal are the secret information about my web server.

    Are my worries legit? Does the web server automatically hides .php files? Should I move the PHP files into another location, away from WWW folder? Is there any other way to protect my PHP files from being downloaded?

    I am using:

    • Apache 2.4.7
    • PHP 5.5.8
    • MySQL 5.6.15
  • Bunkai.Satori
    Bunkai.Satori over 9 years
    Hi and thanks for your response, +1. I know, that during the development, I was able to list all the files stored in the WWW folder through my web browser. I could see them all, including PHP files. During the development, I was focused on developing, I just took a note, that I have to take care of this. Today, I was not able to reproduce this problem, but I am affraid, there is still a way how to list all the folders and directories of the WWW folder through a browser.
  • Bunkai.Satori
    Bunkai.Satori over 9 years
    hi and yes, that is my problem.(+1) I know, that I was able to see and download any files including my PHP files as text files through my web browser. I was able to see image files, .javascript files, .css files, and .php files too. If I want to disable this problem, would you have any idea where to look, please?
  • tomloprod
    tomloprod over 9 years
    It's different list the PHP files (something that should be avoided) that they can be read. If you want to prevent a directory listing do the following: Options -Indexes in the web server config. Or, if you want to prevent the list only PHP files (not recommended), do the following: IndexIgnore *.php
  • GolezTrol
    GolezTrol over 9 years
    Yes. There are two different configurations. One is declaring the PHP file type: AddType application/x-httpd-php .php. This will tell Apache that .php files should be run by the PHP module. One this is configured, you won't be able to view files as text (see also Apache is downloading php files instead of displaying them).
  • GolezTrol
    GolezTrol over 9 years
    The other setting is to disable directory indexes. You can do this using <Directory path>Options -Indexes</Directory>. But despite those settings I would still move the files out of your www folder as much as possible.
  • bansi
    bansi over 9 years
    (+1) for nice description, even if I disagree on some points. @Bunkai.Satori if you can see your php files as text files I would suggest configure your web server before you upload anything to that server.
  • Bunkai.Satori
    Bunkai.Satori over 9 years
    @bansi, hi and thanks for your advice. Of course, I am willing to whatever what is needed. I just need to know what to configure, or at least where to start. At least I have a starting points now.
  • Bunkai.Satori
    Bunkai.Satori over 9 years
    @GolezTrol, thanks for your patient explanations. I will wait couple of moments to see if I get anything more form anybody. Then, I will most likely mark your answer as the Accepted Answer.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Standalone web server (PHP, MySQL) for Mac
Apache in Docker won't deliver sites
How to run php script in png/jpg extension
Apache installing and running php files
PHP on Tomcat 8
how to enable shell_exec and exec on php?
Why isn't _SERVER["HTTPS"] set to 1?
apache proxy_fcgi - The timeout specified has expired - Error dispatching request
How to start Apache on EC2
What is the difference between the 'www' folder and 'htdocs' folder?