Php Files - Keep Out Of Web Directory Tree?

[nachumk]

I am learning how all this works and one thing I came across is security issues on misconfigured servers. Seems that a php file might accidentally be read by someone accessing the web page if Apache is upgraded incorrectly or if the php module stops working... Is there a good reason to keep php files in the web accessible directory tree, or can I use a helper php file to just require the necessary file from outside the web tree? Seems to me this could stop my php files from leaking out.

[jeffman]

The easiest thing is to use .htaccess files. This way you can make entire directories inaccessible to normal HTTP requests, but available for includes or reading/writing as data.This will get you started: http://www.google.com/search?q=htaccess+denyObviously, if you make a directory inaccessible to HTTP requests, you can't keep CSS or script files in there, because that is how browsers get them. But it's the way to go for includes and data files.

[nachumk]

I understand what .htaccess does. The reason I ask is if the .htaccess is accidentally changed, or upgraded, or system crashes and I forget to modify the .htaccess properly, or some such other thing happens. If I take the core php files completely out of the directory tree than I avoid that problem. But then I'd use referrer php files to just call require statements to run the actual code. Is this an OK idea?? Is there something wrong with this, or is there a more secure way to do this??I don't actually need this security, but I'm learning and this piqued my interest.

[justsomeguy]

It's probably fine to leave your PHP files where they normally go. If the server stops working correctly or if PHP crashes then the solution is to fix the web server. It seems kind of weird to have some funky application setup because you're trying to prepare in case of an unlikely catastrophic failure. Normally you would just fix the failure and go about your business normally.