steva
asked on
Keeping critical PHP files from being downloaded
PHP files often have critical information. A vendor's PayPal account information might be in a config.php file, for example. How are these files protected from download by something like FlashGet?
Thanks
Thanks
In apache use .htaccess to forbid access to your includes folder
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Trixor,
No it doesn't display anything if run directly. So are you saying that Apache in general won't let you download a .php file?
No it doesn't display anything if run directly. So are you saying that Apache in general won't let you download a .php file?
Steva,
That is correct.
Just be aware that if your Apache is NOT configured to process PHP, you can download a .php file. But since in most cases Apache is configured this way, you are correct.
That is correct.
Just be aware that if your Apache is NOT configured to process PHP, you can download a .php file. But since in most cases Apache is configured this way, you are correct.
Author didn't specifically mention apache-- Example there is no .htaccess in iis. Disable directory browsing.
ASKER
I'm running on a Linux/Apache system, so there is a .htaccess file. But the .htaccess in the directory containing config.php just has some kind of a RewriteRule with a regular expression. (I have access to the remote directories.) So it doesn't look like .htaccess is what's blocking download access to the file. I think Trixor has it. Apache won't download any php files, no matter where they are. That's good to know.
Something like a config.php etc is usually in ./includes, so prohibit directory listing on those folders.