I read that from a security point of view includes (containing php
code) should be located outside document root.
On an LAMP server, where do you place those includes ?
My document root is /var/www/html (/var/www/html/site1, /var/www/html/
site2, ...). Is for example /var/www/phpincludes/ good enough for
security reasons ?
(This way I do not have to change backup jobs).

Thanx,

JM

Pugi! wrote:
> I read that from a security point of view includes (containing php
> code) should be located outside document root.
> On an LAMP server, where do you place those includes ?
> My document root is /var/www/html (/var/www/html/site1, /var/www/html/
> site2, ...). Is for example /var/www/phpincludes/ good enough for
> security reasons ?

Your document root(s) you find in your apache settings, easy way to check
those is just do a grep for DocumnetRoot on those configuration files you have
for you sites.

Your document root seem to be /var/www/html/site1 for site1, so for that one
you can place files in /var/www/html/ and you will be outside the sites root
directory.
Your document root seem to be /var/www/html/site2 for site2, so for that one
you can place files in /var/www/html/ and you will be outside the sites root
directory.
If you have a default server running which has /var/www/html as document root,
then change that as fast as possible, as this can lead to security overrides,
create a new document root for it, example /var/www/html/default and move all
files there that hasn't anything to do with your other sites.

The answer to your question is that /var/www/phpincludes/ is outside your
document roots.


--

//Aho

On 29 Jun, 10:03, Pugi! <pugin... [at] gmail.com> wrote:
> I read that from a security point of view includes (containing php
> code) should be located outside document root.
> On an LAMP server, where do you place those includes ?
> My document root is /var/www/html (/var/www/html/site1, /var/www/html/
> site2, ...). Is for example /var/www/phpincludes/ good enough for
> security reasons ?
> (This way I do not have to change backup jobs).

FFS! Pugi! thats the last thing on your list of priorities when
choosing a directory.

Also one directory is far from appropriate for a sensible
architecture. I use at least 3

/usr/share/php/ - stuff supplied off-the-shelf - PEAR,frameworks etc
/usr/local/phpenv.inc/ - stuff specific to the environment this server
runs in (develop/test/live) e.g. database credentials, database
server, list of servers in cluster
/usr/local/phpbox.inc/ - stuff unique to this server

How you organise them should be determined by how you manage your
servers filesystems - if that means changing your backup....guess
what.

C.