Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

Protect ini files

Hello,

my whole sensitive config like db connection params is in confi.ini file. Maybe someone has already written .htaccess to prevent ini files from reading?

Thank you

edited Oct '14

Ideally you would not have the configuration files in the public web directory, it should be outside it. Your entire application (typically 'app' dir) should be outside the public directory. The bootstrap index.php file, and all static resources like CSS, JS, images, etc should be the only files in the public directory.

I can't do that because of server configuration. Ftp server is chrooted me at public_html.



5.9k
Accepted
answer
edited Oct '14

In that case you might be best using a .php file for the configuration, rather than a .ini

But if absolutely neccessarry, you can block access to the configuration directory by adding

deny from all

to your .htaccess If that doesn't work, just do

order deny,allow

deny from all