: Installing a PHP framework to a host without public_html or www folders (ftp is DocumentRoot) I've developed a PHP framework that operates with the directory structure of / /classes/ /templates/

@Frith620

The better solution is to code so that there is no security risk from someone requesting these files. Remember that since PHP is interpreted at the server-side then you can code your files to return an empty document or redirect elsewhere when requested.

This is what Wordpress does. Try asking for any of the files you are not supposed to and what the browser gets is simply an empty document. Even if you ask for wp-config.php which is the standard file containing the most sensitive access information, what you get is simply nothing.

Vote Up Vote Down

@Alves908

Presumably you just need to block HTTP access (return an HTTP status code of 403 - Forbidden) to these folders, if stored in the document root? In your document root .htaccess file:

# Block HTTP access to certain folders
RewriteRule ^classes/.* - [F]
RewriteRule ^templates/.* - [F]


(...and build flexibility into your framework to allow your framework to be located at the same level as the public HTML.)

If I understand your other/alternative question correctly... I can't see any benefit in trying to fake a document root using rewrite rules. Presumably this is to maintain the directory structure? I don't think this will add any more security and just introduces an additional layer of complexity IMO.

Vote Up Vote Down