For security and neatness, where should I place php scripts? When I look at the setup on the site, I get the idea they should go someplace under the doc root, and specifically someplace under the html/htdocs folder. But when I read security articles, it looks like I should put them outside the html folder.

So should I put them under:

1. var/www/cgi-bin/some_directory?

2. var/www/some_directory?

3. var/www/html/some_directory?

I see that PhpMyAdmin and the test page follow scheme 3 using plugins

This particular php app seems to work only if it is set up under the /var/www/html folder. I made a sym link so that I could keep the files outside of the html folder, but then apache complained that I didn't have permission to view the files. And there are a zillion of them that would have to be changed.

So what are the recommended settings to keep unauthorized people out, but still provide web access to a log in page (controlled by the app, not by htaccess).

Hi Monroe,

Ideally, you want to put your php scripts that need to be accessed by the public, under /var/www/html or /www/htdocs. /www/htdocs is a shortcut to the latter.

Most php apps have includes directories that hold functions/classes that are behind the scenes and do most of the work. Generally, you want to put these scripts above /var/www/html. Maybe something like /var/www/phpincludes or /var/www/myapp. Most apps have an include path to these paths. I hope this helps.

I personally think it is also good practice to name all include files with a .php ending instead of .inc, especially includes that contain passwords (ie. MySQL). That way the script will go through the PHP interpreter and not display any code to the browser.

For security and neatness, where should I place php scripts?

I put them in /var/www/mydir (which is behind /var/www/html)

You can access it this way



<?php
$php_code_path = '/var/www/mydir';

include_once (($php_code_path) . "mysqlconnect.php");
?>

-- Dave :cool: