Question posted in
Some documentation to get you started can be found here.

Is it secure to keep my webpages(php pages) inside public_html folder on a production server? – Apache

This is my first php project and I’m going make it online very soon. Recently i have read some articles about not keeping the php scripts inside public folder because if the server is not configured correctly php scripts might be visible as pure text and that is a big security concern if those scripts have sensitive information(like DB credentials etc.). But i believe, I shouldn’t be concerned. As my php pages are mainly consist of multiple include/require. Here is an example:

home.php

<?php
require_once ('../resources/app_config.php');
require_once ('../resources/includes/functions.php');
require_once ('../resources/includes/header.php');
?>
<body>
The body elements...
</body>
<?php
require_once ('../resources/includes/footer.php');
?>

Here is the directory structure of my project:

resources
  |___ app_config.php
  |___ includes
       |___ functions.php
public_html
  |___ css_dir
  |___ js_dir
  |___ images_dir

  index.php
  home.php
  profile.php

so my question is should I be concerned about moving my php pages out of the public folder or there is nothing to concern ?? Thank you.

Tags:

2

Answers


  1. 0

    Anything you should publish such as index.php should be placed inside the public_html folder. Your web server’s php engine processes the php and send only the output.

    There cannot be any harm come in your way if your web server is configured property to serve php outputs.

    If you are using Apache, use .htaccess file to further restrict the access (such as folder indexing) to public_html folder.

    Login or Signup to reply.
  2. 0

    If you want to be sure that nothing can leave your server unsecured, even in the worst case, it’s perfectly fine to point the document root to some nearly empty folder (that holds only the entry point) and have the business logic in another folder.

    For example, Fabien Potencier, the creator of Symfony, proposes the following in http://fabien.potencier.org/symfony4-directory-structure.html:

    • Source Code under src/
    • Web files under public/

    This way, even if your PHP process fails, but your webserver still serves files from public, nobody will be able to read more than simple bootstrapping (once again an example of Symfony: their recommended index.php needs only little changes from https://github.com/symfony/recipes/blob/master/symfony/framework-bundle/4.2/public/index.php to your own application in very specific cases).

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search