Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Let’s say you have a config.php that holds sensitive information like a DB user password. It is not recommended to store that file in the document root, right?
Why is that so and is it a safer approach to store sensitive information in the index.php of the document root?
For me, the first scenario that comes to mind is a misconfiguration that lets users download or view .php files, rather than parse them and present them as text/html. Say you perform an upgrade, something goes wrong, and Apache is no longer parsing your scripts. Somebody notices that Apache is sending your PHP files as plain text, and is able to open
config.phpand see the source code (and all the sensitive database configuration parameters inside).