On 8/30/05, Thomas <tomatosh@xxxxxxxxx> wrote: > Hey guys, > > Thanks for all the answers. I had not considered leaving the xml file > outside the webroot (duh!). However, in this case I don't think it would > work, as the project is working through a svn structure (and some boxes run > Linux, otherwise Win). > I thought that the .htaccess would have been the best (apparently not?). > Anyway, I will give the filtering out of the .whatever a shot. You can put the rule for filtering out a .whatever into a .htaccess file, using the code I gave you above. I discouraged the use of .htaccess because the apache group discourages it for performance reasons. If you enable .htaccess, then apache has to check every subdirectory in your webtree for a .htaccess file, which may be a resource waste. The simplest solution if you can't rely on an outside-webtree system, would be to rename your file.whatever to .htfile.whatever, although it is a bit of a hack, and not portable to other servers. The same can be said however about .htaccess. > > One thing on that: how about portability? What if I didn't have access to > the httpd.conf file of Apache on the live server? How will I enable such > rules (without having to bother the server dude, who may or may not like to > do that)? From that question, .htaccess files seemm the most portable > solution. > > Thanks again. > > t > > -----Original Message----- > From: Rory Browne [mailto:rory.browne@xxxxxxxxx] > Sent: 29 August 2005 07:59 PM > To: Thomas > Cc: php-general@xxxxxxxxxxxxx > Subject: Re: Protecing files > > Personally I reckon that you should simply place them outside the webroot. > > If you are either too lazy to do this, or too paranoid for this alone, > then you could consider renaming them from filename.xml to > .ht_filename.xml. There is a section in most default apache config > files to make filenames beginning with .ht to be unaccessable. > > I would recommend against filtering out .xml files. Whilst they may > only be config files at the minute, you may in future wish to serve up > xml files. I would instead suggest that you change your naming scheme > to have config files ending in .conf, .config, .settings, or .set or > something else non-standard, and fileter out that. A file doesn't have > to be called something.xml to contain xml. > > If for example you want to filter out pages ending in .conf, then you > could do something like this(assuming my understanding of apache regex > is correct - big assumption but I'm sure someone will enlighten us if > it's incorrect): > <Files ~ ".conf$"> > Order allow,deny > Deny from all > </Files> > > You could also shove that into a .htaccess file, but apache docs > recommend against it(or rather they recommend against the enabling of > .htaccess. > > > > On 8/29/05, Thomas <thomas.hochstetter@xxxxxxx> wrote: > > > > > > > > Hi there, > > > > How can I protect all files with extension .xml from being accessed by the > > outside? For Apache can one use .htaccess (if yes, how?), is there a > generic > > way of keeping stalkers from viewing your config files? > > > > Thomas > > > > > > > > > > > > SPIRAL EYE STUDIOS > > P.O. Box 37907, Faerie Glen, 0043 > > > > Tel: +27 12 362 3486 > > Fax: +27 12 362 3493 > > Mobile: +27 82 442 9228 > > Email: thomas.hochstetter@xxxxxxx > > Web: <http://www.spiraleye.co.za> www.spiraleye.co.za > > > > > > > > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
