4

I'm working on a PHP project to develop a template engine for another programmers. The idea is simple: there will be a template folder with a template and a pages folder with the pages, php goes and get the template and insert the page inside of it using the current url. I've done this project without object orientation some years ago, but now I'm trying to do with having an object oriented focus.

The problem I'm facing is about configurations. In the original system, I had a PHP file with configurations hardcoded (the names of the folders containing includes, javascript, pages and so on). On the new one I was thinking on storing this data with XML, but the problem is that searching here on Stackexchange I've found this question and if I understood correctly, if I use the rewrite solution, it won't be accessible even by the PHP script and so I don't have a way to protect the configuration file from being read directly in the browser.

How should I work with this? Is there a better solution than using XML? I'm also avoiding the use of databases, since this is too simple to involve mysql connections and so on. I'm pretty sure that there is a way to allow the XML to be readable only from inside the server, but I'm not sure if that's the best solution.

Can someone tell me on how to procede in that case?

Thanks very much in advance!

Improve this question
4
  • 4
    file system includes are not manipulated by webserver rewrites so you are safe there. You could also just keep the configuration files outside of the document root. Commented Jul 26, 2013 at 21:25
  • If a database is an option, then explore that option. I know a few applications which connect to a database just for a few runtime configurations Commented Jul 26, 2013 at 21:29
  • 1
    Be careful when using a "config file" that is not in .php format. If this file is directly accessed, the client will see the whole content, including the database passwords and all other sensitive parameters you may have in it. I don't recommend you do that at all, even if you have something configured to protect its access. When it comes to security its always good to combine as many tricks you can to ensure the access limitation will not be bypassed even if something fails to protect it for any reason. Commented Jul 26, 2013 at 21:40
  • @Havenard, you're right. I thought a little more about that, and I think the best way to go is to save the configurations really in a php file to avoid this kind of problem. Thanks for the advice! Commented Jul 26, 2013 at 21:41

1 Answer 1

Reset to default
7

The simplest solution is to place the xml file in a directory higher up the tree than the /htdocs/ or /www/ directory. This will still be accessible by PHP but not by HTTP connections.

If you wish to make the file accessible to some external HTTP requests, you could secure the directory using a .htaccess file, but I don't recommend that as an enterprise-level solution. Alternatively or perhaps additionally, you might be able to chmod the file to 66(4) (not 5.. sorry), which should limit file access sufficiently.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

chmod 664 is probably the way to go. I don't think a config file needs to be executable
+1. Outside the web root. If you don't want a file to be accessed directly via http, then put it in a place where it can't be accessed via http. Simple as that.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.