With an .htaccess file, if it is supported by your server (normally yes).

Thanks but I asked how....Gonna need more than that...anyway since I'm here I'll define what I first posted in this thread.

I want to be able to only access folders and files for my forum with the php scripts.

Yes, I know. If you use .htaccess you have two possibilities to prevent access to files from 'outside' and so you'll let only server-side scripts access to those files.

- htaccess password file or
- mod_rewrite

Saludo
piz

I usually try to put all my include scripts outside of the web server root. That way, even if someone finds out the file name and where they are on the server, they would need to hack into the server to get the scripts.

example:

server root: /home/userName/public_html

includes: /home/userName/includes/ (just make it readable to apache.)

then create a constant in PHP

Then include files like this...

my files that will be accessed are outside the root on the server. closest it ever gets it 1 directory away...and 2 directories away for the password..i guess if i add an index.html blank page to those directories that would be enough

Why? Just turn off directory listing and you'll need no blank index.

...or do this with .htaccess... ;-)

I cant find that file. Ive been trying to find it for a week now and Ive contacted my server about 5 times. Its nowhere to be found nor where they claim it is.


The reason for putting in a blank index.html file is that if you type in the folder path it will take you to that...Im running apache and it can be known to list the directories...

If your files are outside of the root, there's no way to access them through apache.

Example...

if your server root is /home/userName/public_html, then you can access the files though a browser at http://mydomain.com/~userName/

On the other hand, if you place the files outside of the public_html directory (i.e. /home/userName/someplace/ you can never access the files through apache. Indexing won't matter as they are inaccessible to the world.

Now, if your placing the files in a directory which is a direct decendent of the server root (i.e. /home/userName/public_html/somedir, they are not secure and can be viewed at http://mydomain.com/~userName/somedir. Even if you have an index.html file to stop the directory listing and disable directory listings in Apache, if someone guesses your file name, or sees it in an error message, they can still view the file with a direct request.


To find the config file and to turn off directory listings, log into your server via ssh: type the following:

This will find the apache config file, then open it using vi (assuming you have permission to)

Look for the line:
and delete "Indexes"

To find the configuration file, see above.
To find the .htaccess file, you have to create one and turn "show hidden files" on.

If the username and password are in a php file, then there's no way anyone can see them anyway, whether it's in a protected directory or above domain root. Unless of course you're printing those details out on that file

... but on some shared hosts a file given 0777 or 0666 etc permissions is often readable by other users on the same server regardless of being above or below the web root , especially if the file was created by script (apache|nobody) , anyone who can read/include a file can then get the contents, so your caution is valid.