On Jan 23, 2008 2:50 PM, Roberto Mansfield <robertom@xxxxxxxxxxxxx> wrote:
> I tend to keep the directories in the document root, but I deny access
> via an .htaccess file. This keeps the code in a simple directory
> structure. Anyone else doing that?
My fear on that is if there's changes to the server. Say, for
example, someone takes over my job (which will happen someday, one way
or another), and they are charged with upgrading services on the
server. While doing Apache, they "accidentally" (for argument's sake)
forget to properly configure the AllowOverrides and AddHandler/AddType
directives. Now .htaccess isn't read and doesn't bar access to the
directory, and the files have full source disclosure - including any
database login credentials, et cetera.
This is what we like to call a Bad Thing[tm].
--
</Dan>
Daniel P. Brown
Senior Unix Geek and #1 Rated "Year's Coolest Guy" By Self Since
Nineteen-Seventy-[mumble].
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
