On Jan 23, 2008 2:50 PM, Roberto Mansfield <robertom@xxxxxxxxxxxxx> wrote: > I tend to keep the directories in the document root, but I deny access > via an .htaccess file. This keeps the code in a simple directory > structure. Anyone else doing that? My fear on that is if there's changes to the server. Say, for example, someone takes over my job (which will happen someday, one way or another), and they are charged with upgrading services on the server. While doing Apache, they "accidentally" (for argument's sake) forget to properly configure the AllowOverrides and AddHandler/AddType directives. Now .htaccess isn't read and doesn't bar access to the directory, and the files have full source disclosure - including any database login credentials, et cetera. This is what we like to call a Bad Thing[tm]. -- </Dan> Daniel P. Brown Senior Unix Geek and #1 Rated "Year's Coolest Guy" By Self Since Nineteen-Seventy-[mumble]. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php