[MonoDevelop] PHP Language Bindings

Michael Hutchinson m.j.hutchinson at gmail.com
Sat Sep 23 18:41:47 EDT 2006


On 9/23/06, Victor Rafael Rivarola Soerensen (FANATICO y LOCO por
Cristo) <vrrivaro at gmail.com> wrote:
> Not necesarily. For security reasons, it is recoomended that templates
> and other files referred ttoo by the scripts be kept outside the web
> server's document root. This makes it more dificult (it is sill
> possible) for some cracker to deface your site.

I don't get this -- surely you want to limit your scripts' read/write
access to *inside* your web root, so that if someone subverts them or
injects malicious code, they can't access the rest of the filesystem.

As for preventing direct outside access to these files, this should be
done by the web server itself. For example, the Drupal PHP CMS
framework uses the .htaccess rule
<FilesMatch "(\.(engine|inc|install|module|sh|.*sql|theme|tpl(\.php)?|xtmpl)|code-style\.pl|Entries.*|Repository|Root)$">
  Order deny,allow
  Deny from all
</FilesMatch>

-- 
Michael Hutchinson
http://mjhutchinson.com


More information about the Monodevelop-list mailing list