I it safe to place config.php in the root of your website even though it has premissions set to 644?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I it safe to place config.php in the root of your website even though it has premissions set to 644?
As long as no-one has an SSH or FTP access to your server, and that there is no bug / security hole in your website that would allow anyone to access the sources of the PHP files, this should be quite OK.
Note that your Apache user has to access that file (so it can be included from other PHP scripts) ; so, wherever you put it, if you have a security hole that allows PHP files to be read by users, it won’t change a thing.
An idea might be to put that file outside of the document root, or inside a directory protected by an .htaccess file denying access from anyone — at least, this way, if your server is not well-configured and displays source-code of PHP files, the content of that file would not be displayed (as it could not be access/served directly via HTTP).
This will not help in the case of a security hole that allows PHP file to display the content of other PHP files (I’ve seen that happen), but that would still be a first step.