Definition of Outside Webroot

Question

I have been reading about where to securely save a PHP file that has my mysql database connection password. I understand from the forums that it should be saved in a folder above the webroot. I have a cloud server from a hosting company.I have access to root

The path to the public files is as follows:-

 /var/www/vhosts/mydomain.co.uk/httpdocs/afile.php

Say I have a PHP file (containing my password) called sqlpassfile.php

Would the following be okay as a place to securely store it? ie in a new folder called Newfolder after vhosts??

 /var/www/vhosts/NEWFOLDER/sqlpassfile.php

Sorry for a simple question but just want to make sure its secure

Thanks

Simple answer. Yes. it would be ok to do that. That is outside the webroot. As long as you tell your script where it's located. — Panama Jack, Apr 27 '15 at 20:48

score 1 · Answer 1 · edited Mar 17 '17 at 10:45

Usually, People just save the database connection information in a regular PHP file, for example, Wordpress saves the connection info in it's wp-config.php. Simply because nobody is able to see your password by visiting that php page, nothing is returned.

To make it more secure, you can disable access to php file while mod_php stopped working. Try this in you .htaccess

<IfModule !mod_php5.c>
  <Files *.php>
  Order Deny,Allow
  Deny from all
  </Files>
</IfModule>

Please also have a look at this post: Password in file .php

β.εηοιτ.βε · Accepted Answer · 2021-11-22T19:32:09.710

1

All the nowadays PHP framework you will find do, indeed store their whole code base in a level under the web root.

They do not only store informations like credentials actually, they do store all the business logic of the application outside of the web root. They will then only allow a facade file to be accessed (most of the time a index.php or app.php) that will, then, with the help of controllers, handle every request and route you to the right page/content, and, of course, all the static content the site will use (your design images, your css, your js, ...).

For example :

Zend Framework does use a public folder where you will find an index.php and all the static files
Symfony does use a web folder where you will find two files app.php and app_dev.php and again all of the static files

So in your case you could do

/var/www/vhosts/example.com/httpdocs/ is the web root of your server /var/www/vhosts/example.com/app/ store all the php code you need /var/www/vhosts/example.com/app/config store all your configuration file, and then maybe your credentials files which you can call sql_config.php /var/www/vhosts/example.com/httpdocs/afile.php will require_once '../app/config/sql_config.php

edited Nov 22 '21 at 19:32

answered Apr 27 '15 at 20:34

β.εηοιτ.βε

33,893
13
69
83

On my hosted cloud server I do have a /var/www/vhosts/example.com/conf and a /var/www/vhosts/example.com/private .Could I store my password php files there then? – user2635961 Apr 27 '15 at 20:41
That is surely something which you can try, but bear in mind that [Open Base Dir Restriction](http://stackoverflow.com/questions/1846882/open-basedir-restriction-in-effect-file-is-not-within-the-allowed-paths) can cause you trouble in doing so. – β.εηοιτ.βε Apr 27 '15 at 20:49
They do this to simplify configuration and deployment. It does compromise security, but such tools should use additional protections as described by Shoji.Jiang. This is a poor answer. – symcbean Apr 27 '15 at 20:56
@symcbean not only. Let's compare `/var/www/web_root/include/somefile.php` against `/var/www/app/include/somefile.php` they will both be included via a `require` or `include` in another file but I surely can attack the first one easier that I can on the second one, and find a undefined notice, and then... Attacks begins with clues. That does not do all the job, off course, you still have to be cautious of security, but that definitively is a good start. – β.εηοιτ.βε Apr 27 '15 at 21:11

score 0 · Answer 3 · answered Apr 27 '15 at 20:53

Whether your method is safe depends on the configuration of the server, something that providers are not often very good at documenting.

Your first line of defence is keeping what is essentially confutation data inside a file named with a .php extension. So if it is accessible from a browser the webserver will execute the file rather than returning the data. You certainly want at least 2 levels of security on your data (each of which you have tested independently).

Considering the path you have chosen, /var/www/vhosts/NEWFOLDER/sqlpassfile.php what happens if you request http://NEWFOLDER/sqlpassfile.php from the server? (In most cases, nothing but once in while....) Generally its better practice to keep it well clear of the directories your webserver uses.

Definition of Outside Webroot

3 Answers3