Hey guys, Thanks for all the answers. I had not considered leaving the xml file outside the webroot (duh!). However, in this case I don't think it would work, as the project is working through a svn structure (and some boxes run Linux, otherwise Win). I thought that the .htaccess would have been the best (apparently not?). Anyway, I will give the filtering out of the .whatever a shot. One thing on that: how about portability? What if I didn't have access to the httpd.conf file of Apache on the live server? How will I enable such rules (without having to bother the server dude, who may or may not like to do that)? From that question, .htaccess files seemm the most portable solution. Thanks again. t -----Original Message----- From: Rory Browne [mailto:rory.browne@xxxxxxxxx] Sent: 29 August 2005 07:59 PM To: Thomas Cc: php-general@xxxxxxxxxxxxx Subject: Re: Protecing files Personally I reckon that you should simply place them outside the webroot. If you are either too lazy to do this, or too paranoid for this alone, then you could consider renaming them from filename.xml to .ht_filename.xml. There is a section in most default apache config files to make filenames beginning with .ht to be unaccessable. I would recommend against filtering out .xml files. Whilst they may only be config files at the minute, you may in future wish to serve up xml files. I would instead suggest that you change your naming scheme to have config files ending in .conf, .config, .settings, or .set or something else non-standard, and fileter out that. A file doesn't have to be called something.xml to contain xml. If for example you want to filter out pages ending in .conf, then you could do something like this(assuming my understanding of apache regex is correct - big assumption but I'm sure someone will enlighten us if it's incorrect): <Files ~ ".conf$"> Order allow,deny Deny from all </Files> You could also shove that into a .htaccess file, but apache docs recommend against it(or rather they recommend against the enabling of .htaccess. On 8/29/05, Thomas <thomas.hochstetter@xxxxxxx> wrote: > > > > Hi there, > > How can I protect all files with extension .xml from being accessed by the > outside? For Apache can one use .htaccess (if yes, how?), is there a generic > way of keeping stalkers from viewing your config files? > > Thomas > > > > > > SPIRAL EYE STUDIOS > P.O. Box 37907, Faerie Glen, 0043 > > Tel: +27 12 362 3486 > Fax: +27 12 362 3493 > Mobile: +27 82 442 9228 > Email: thomas.hochstetter@xxxxxxx > Web: <http://www.spiraleye.co.za> www.spiraleye.co.za > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
