Private Directory

[RV Guy]

Is there a directory, or some place on the server, that is inaccessible through the internet to store scripts containing db passwords and other private information?  As an example, some servers have the web root (called public_html on these servers), but have another directory below this directory called 'private' which is inaccessible through the web.  It would be in this 'private' directory where you store all scripts with sensitive info.

If no such provision is available, what would be the safest way to store scripts with senitive info.  Thanks in advance for your help.

RV Guy

[AlphaWolf]

Is there a directory, or some place on the server, that is inaccessible through the internet to store scripts containing db passwords and other private information?  As an example, some servers have the web root (called public_html on these servers), but have another directory below this directory called 'private' which is inaccessible through the web.  It would be in this 'private' directory where you store all scripts with sensitive info.

If no such provision is available, what would be the safest way to store scripts with senitive info.  Thanks in advance for your help.

RV Guy

I'm not sure exactly what you are wanting to do here since usually the scripts for applications need to be in the directory of the application.  Private directories are made private by adding a .htaccess file which outlines who and how files in that directory can be accessed.  The link below will explain how .htaccess files are created and used.

http://httpd.apache.org/docs/2.0/howto/htaccess.html

peace

Wolf

[RV Guy]

You answered my question by virtue of your comment  "I'm not sure exactly what you are wanting to do here".  It means you don't have this feature.

I always create php 'includes' for any code that contains sensitive information (ie. db passwords), and put them into a separate directory other than the one that contains the main app.  And yes, I do understand about password-protecting directories, and that's what I do for these includes.

Most servers are set up similar to W4C servers, in that you have a web directory - public_html here, httpdocs on others, etc.  But many other servers have a directory named 'private' that is not accessible from the web.  Maybe to illustrate, I create a directory under the web root; public_html/includes.  People with access to the internet can actually get to this directory, such as: http://www.mydomain.com/includes and bang, they are in.  But with this 'private' directory, a person can never get to this directory, as it resides outside the normal web path.  But you can access the direrctory from within your application.

Maybe a slightly better explanation refering to W4C servers, the directory structure has public_html, etc, mail, etc. directories at the same level.  A visitor can get to public_html and beyond, but they can never get to the 'etc', 'mail', etc. directories.  Same premise I'm talking about - a directory named 'private' would reside here and visitors can't get to it - much, much safer than just password-protecting a directory.

Anyway, don't know if this explanation helped or not, and it's a long reply for a minor issue - sorry.  But thanks for the response and hope you have a blessed day.

RV Guy

[AlphaWolf]

Ah ok I understand.

I know that sites with FP extensions installed have a _private directory that asks for a user name and password.  You might also try CHMODing a directory to disallow World

I am assuming that this automatic private directory you are talking about is specific to a particular flavor of *nix.  I have no experience with any flavors except SCO and Red Hat - we use RH here.

peace

Wolf

[Scott Chase]

I have seen where you create a directory on the same level as public_html such as /db_includes.  You would be able to include the files using local paths and not web paths.  I don't know that this would be any different than creating a subdirectory under public_html and removing read rights as Wolf suggested.

[AlphaWolf]

I have seen where you create a directory on the same level as public_html such as /db_includes.  You would be able to include the files using local paths and not web paths.  I don't know that this would be any different than creating a subdirectory under public_html and removing read rights as Wolf suggested.

Great idea - i didnt even think to mention that.

[RV Guy]

Thanks, guys.  You answered before I even asked - clairvoyant, I guess !  I have tried what csadmin suggested, and it works like a charm.

I'm sure 'protecting' a directory works just fine in keeping sensitive info safe.  But in my mind, having this info in a directory that the www can't even see in the first place helps me sleep better at night.

Thanks for the replies and suggestions, and hope you have a very blessed day.

RV Guy