Daniel Brown wrote: > On Jan 23, 2008 2:50 PM, Roberto Mansfield <robertom@xxxxxxxxxxxxx> wrote: >> I tend to keep the directories in the document root, but I deny access >> via an .htaccess file. This keeps the code in a simple directory >> structure. Anyone else doing that? > > My fear on that is if there's changes to the server. Say, for > example, someone takes over my job (which will happen someday, one way > or another), and they are charged with upgrading services on the > server. While doing Apache, they "accidentally" (for argument's sake) > forget to properly configure the AllowOverrides and AddHandler/AddType > directives. Now .htaccess isn't read and doesn't bar access to the > directory, and the files have full source disclosure - including any > database login credentials, et cetera. > > This is what we like to call a Bad Thing[tm]. > Ahh, an excellent point. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
