Ah yeh, you have to be careful with that, but it’s easily the best solution for an application that uses rewritten urls - either that or use absolute paths, which is worse I think.
No, I would expect everything in my web root to be active.
I was just saying I make it overly easy for people to see all of your files.
I never said using goofy names for database components, but it does make sense to not store everything in default folder names in default places.
People who do “drive-by” attacks tend to look in obvious places for obvious weaknesses.
If you makes things a little more obscure, it may make them keep going.
However, I have never said that is a total security solution.
I have just read enough valid security articles to know that this is one of numerous strategies that should up decrease your chances of being hacked.
At least if the code is written in ANYTHING resembling secure practices. As I have seen proven time and time and time and time and TIME again the past three decades, security through obscurity is no security at all. See BlackBerry at Pwn2Own.
But it is one of 100 things - that when combined together - can help.
You most certainly can “include” files outside of your Web Root…
Off Topic:
I was up until 4:00am I apologize, but a lot of points we were arguing on are probably lost, because of the Internet and Time and my 4am computer hang-over!
The three directory pathing methods:
uptree: …/images/image.png – /FAIL/
rooted: /images/image.png – /FAIL/
downtree: images/image.png – /WIN/
- Functions the user can call directly and/or static files in root; This is why I prefer to have a SINGLE index.php through which ALL functions are called… single valid .point of entry/exit means only one place they can hack.
I don’t disagree.
- Subfunctions and things the user should not call directly for php in a subdirectory (like “sources” or “libraries”). Said files return NOTHING if called directly containing ONLY objects and functions. Secure functions (like returning SQL login info) I’ll typically code to throw if they aren’t called by the index.php in the directory above it. This also means NO global variables, no security information in DEFINE, etc, etc…
Someone else said put important PHP stuff outside of Root. Makes sense to me.
Off Topic:
Those two combined are where 90% (pulling a percentage out of my backside) of CMS have their gaping security holes.
I’m sorry, but again, the continuity of our conversation is dying due to no fault of our own.
Recap.
What are CMS’s two fatal flaws?
- Content images (aka what should be in IMG tags) in a subdirectory so you can point DOWN-TREE. Likewise content files like downloads, movies, music can go in obviously named subdirectories down-tree of root.
Right. I was just saying maybe change the name from “images” to something slightly more obscure like “profile_pics”.
I dunno.
- CSS and theme code can go in a nice easy directory named “themes” and you can even do easy multitheming with a subdirectory
I thought you said before you don’t use directories/sub-directories?
The moment you resort to rooting (/) or up-tree (…/) you have to call your entire directory structure into question. Work WITH how the server and user agent works, not against it!
I never implied that for page content, but what about the suggestion of “hiding” things like PHP classes or Data Config stuff outside of Root?
… and if it’s NOT something that actually appearas on the website, what is it doing in a directory with stuff that is?
I don’t disagree.
Either put it in a subdirectory behind a password,
So you agree with that?
in a subdirectory with a index.html to prevent dir listings,
Or can you do the “Not Indexed” thing mentioned previously?
or just don’t put it on the server in the first place.
I got that.
Of the four filetypes you listed, only “Includes” makes the LEAST bit of sense for what you are thinking; but frankly if those includes are written PROPERLY so they don’t output anything when called directly – by wrapping anything and EVERYTHING they do in functions or classes/methods – and by not defining anything that could be mis-used, and adding a throw so only certain files can request secure information… The name of the directory or even their pulling a listing shouldn’t matter.
Fair enough.
But again, there’s a reason I’d like to see <?php and ?> removed from PHP completely…
And that reason would be???
Debbie
P.S. Feel free to provide your thoughts and feeling on my other security thread Virtual Private Server (VPS) security That is a place I could definitely use some expert advice! 
I don’t disagree with anything you said above.
Debbie
Yes, that is what I thought he was saying.
And what was he proposing?
Now, if it has secure documents or something, that is a different story, but then those wouldn’t be accessible by the user anyways, so if you just pick a folder (with a reasonable name), who’s gonna find it?
So let’s say I have articles or images that are for “preferred” customers. They aren’t technically being used/relevant to a lot of users, but they are still sitting out there for a select few. So that is an example of the bigger picture of my deserve to hide, obscure and protect from casual browsing.
Debbie
Gee, you guys sure came out of the woodwork at an inopportune time! (Gang tackling poor Debbie after an all-nighter!) 
Most of this thread is over my head or not relevant, but still somewhat interesting.
At least it will help others out.
Where are my Tylenol?! :sick:
Debbie
Yes, that is what I thought he was saying.
And what was he proposing?
He’s proposing his theme approach. He’s saying if you make a whole folder just for css (which should contain at most only a small handful of files), you may want to reconsider things.
I personally disagree with him on this, but I see his point.
So let’s say I have articles or images that are for “preferred” customers. They aren’t technically being used/relevant to a lot of users, but they are still sitting out there for a select few. So that is an example of the bigger picture of my deserve to hide, obscure and protect from casual browsing.
I would put those in a different section entirely. Just like how if I create an admin section, anything related to the admin section lives within those folders.
I’d create some kind of control panel section in which all of the files only viewable at that level live.
Sorry, but I’m used to seeing them referred to that way for oh say… thirty years.
Since that’s what it’s called when working from the command line or in a real programming language… Though I always argued that up and down were reveresed on that, since down should take you closer to the root; but it refers to how programs like DOS Tree, Commander or XTree displayed the filesystem tree, with root at the top and the branches going down. Up-tree referred to going up that tree list, down-tree, well…
But again, I’m the guy who looks at the default behavior of current filesystems and screams “Oh for crying out loud, just show me the damned filesystem tree!” (at least windows can be set to default to that - feel like ripping my hair out when I’m stuck on the crippleware of Linsux and OSuX… well, more like OSuX since at least on Linux there’s ZTree)– really sad when todays file management software isn’t as capable or complete as a DOS application from 1985.
Another of those things that it seems isn’t being taught and/or isn’t being learned by programmers of the past few years; like all the good lessons of what was considered computer basics 101 a decade ago have been thrown in the trash… lessons like don’t let library files in a scripting language output anything… lessons like globals and defines should never be used for security information… lessons like how to use a filesystem tree efficiently… lessons like what chmod is, how to use it, and that leaving your #1 security file or even ANY file in the system 777, 666 or even 755 is a REALLY BAD IDEA.
(Since it often seems EVERY CMS and forum software wants you to do that these days… and that’s not just WP I’m ragging on for that – see SMF, phpBB and vBull)
[ot]
But again, I’m the guy who looks at the default behavior of current filesystems and screams “Oh for crying out loud, just show me the damned filesystem tree!” (at least windows can be set to default to that - feel like ripping my hair out when I’m stuck on the crippleware of Linsux and OSuX…
Maybe because command-line cowboys don’t need to “see a tree”. People who do, use GUIs it seems.
Which is why the “menu system” of the text browser Elinks always makes me laugh… it imitates a graphical browser dropdown… in the terminal.[/ot]
Off Topic:
So… no midnight commander or ztree for you?
Folder/File Security is simple in .NET. We use a web.config file. You PHP people are missing out.
There are quite a few things in .NET that drive me absolutely nuts though… Things that can be overcome, but most people don’t (such as relying on .NET to generate your HTML and Javascript… and winding up with a quarter-meg of Javascript).
Agree 100%. I’m not a fan of Web Forms component-model, but then again, it was the “in” thing in .NET development 8 years ago. Thank God for the savior, MVC. It’s really a pleasure to develop with, and it’s almost, almost as trivial as PHP. Good time for PHP developer to open their mind, and branch out and give .NET a chance. Some of the best “technologies” have come out recently, Entity Framework, MVC, and LINQ, for example.
I tried giving .NET a chance once, and it failed at the first block - having to buy visual studio!
All very interesting, by that has nothing to do with my original thread…
Debbie
Common names for resource directories are only a security risk on popular software that’s already targeted by worms/bots/etc. Baddies don’t go around looking for sites with directories named like that, they write programs that look around for directories that hint at specific software, software with known security holes and used on thousands of websites, being used.
[ot]
So… no midnight commander or ztree for you?
Nope. But when I want to see folders and stuff, I use a GUI.[/ot]
This is exactly what I would have said. You wanted to make read-only because you’re assuming that hackers will access your server… You should never assume this and make appropriate Server configuration. I once owned a public server and I set it so that only specific client IP can access the server (along w/ usual userid/password). If the hacker still managed to go inside then… he’ll laugh your pathetic attempt to make the directory read-only. Of course nothing is ever 100% secured but one must draw the line somewhere… I definitely won’t draw at “make directory read only or obsfucating the files”
Tough to admit, but it’s basically useless to settle for security through obscurity. Hackers simply write enumeration tools that scan hundreds of thousands of different directories within minutes. They simply have a dictionary with all possible combinations of your folders/directories. So to be honest, it’s a waste of time to obfuscate.
All that needs to be said has been said.
Thread closed.