>This is a PHP question that came up while working with SquirrelMail.
I read an installation procedure that suggested moving several
directories out of web space. Two of them make sense, but the third
directory, houses configuration options in php files. If the web server
is properly optioned to serve .php files (by executing php and serving
the result), is there any reason to place this write protected directory
outside of web space?
There is no way for someone to see anything
inside "<?php" and "?>" right?
True if PHP is correctly configured and working, but it can happen if:
(1) You lose the Apache directives that cause it to treat .php files
as PHP (say, during an upgrade of Apache).
(2) The PHP extension shared library gets deleted after a messy power
brownout crash and subsequent fsck, and Apache can't load PHP.
or
(3) Briefly during an upgrade of PHP.
You really ought to shut down Apache during upgrades of Apache or PHP
but sometimes admins forget.
"The files are secure if PHP is working" is less secure than "The
files are secure if PHP is working (inside PHP section) and the
files are secure if PHP is not working (outside document tree)".
Gordon L. Burditt