Personally I reckon that you should simply place them outside the webroot.
If you are either too lazy to do this, or too paranoid for this alone,
then you could consider renaming them from filename.xml to
.ht_filename.xml. There is a section in most default apache config
files to make filenames beginning with .ht to be unaccessable.
I would recommend against filtering out .xml files. Whilst they may
only be config files at the minute, you may in future wish to serve up
xml files. I would instead suggest that you change your naming scheme
to have config files ending in .conf, .config, .settings, or .set or
something else non-standard, and fileter out that. A file doesn't have
to be called something.xml to contain xml.
If for example you want to filter out pages ending in .conf, then you
could do something like this(assuming my understanding of apache regex
is correct - big assumption but I'm sure someone will enlighten us if
it's incorrect):
<Files ~ ".conf$">
Order allow,deny
Deny from all
</Files>
You could also shove that into a .htaccess file, but apache docs
recommend against it(or rather they recommend against the enabling of
.htaccess.
On 8/29/05, Thomas <thomas.hochstetter@xxxxxxx> wrote:
>
>
>
> Hi there,
>
> How can I protect all files with extension .xml from being accessed by the
> outside? For Apache can one use .htaccess (if yes, how?), is there a generic
> way of keeping stalkers from viewing your config files?
>
> Thomas
>
>
>
>
>
> SPIRAL EYE STUDIOS
> P.O. Box 37907, Faerie Glen, 0043
>
> Tel: +27 12 362 3486
> Fax: +27 12 362 3493
> Mobile: +27 82 442 9228
> Email: thomas.hochstetter@xxxxxxx
> Web: <http://www.spiraleye.co.za> www.spiraleye.co.za
>
>
>
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
