问题
I saw in a thread and seen in some frameworks, that using the below structure is recommended. Can someone please explain why, in terms of security (if you can explain it thoroughly would be appreciated)? Are there any other advantages of this?
- root
- app
- application_folder
- config
- controllers
- models
- public_html
- css
- js
- images
- index.php
- .htaccess
- app
EDIT:
Does this have any effect if the server was hacked?
回答1:
The idea is that only the things that should be able to be accessed by the user are placed in public_html, so that random people on the Internet can't access random pieces of your code or data if they guess the right URL.
The usual way this is done is to have a public folder inside the app which is then symlinked to public_html or under, and not actually split the application in two parts.
回答2:
I have in previous projects for a customer put their configuration files outside of the public_html folder. It is possible, but when including PHP files I just did something like this
<?php
require_once('/home/brandon/config/config.php');
?>
Instead of this:
<?php
require_once('/home/brandon/public_html/config.php');
?>
回答3:
I've been struggling with this issue. Managing a large number of websites, I settled on putting my php libraries in a subdir under the public folder and referencing them using relative path in my includes. This way, I don't have to change any paths to run/test them on my development server vs production.
Last year, one of my client websites started getting hacked repeatedly. The hackers somehow gained access to FTP account and insert their own files (including php), as well as replacing some and deleting others, and creating directories. All this despite setting all dirs to 755 and files to 644 perms. Of course, once they have the FTP account, it's game over, try again.
They've hacked the site 6 times now (that I know of). This is the only one of my sites that has ever been hacked! I'm considering whether there is any point in relocating my php library files outside of public folder (for this site, anyway). I've confirmed that none of these files can be downloaded/viewed via the browser (get blank page, and blank view source page).
I'm also using SFTP, secure passwords, and guarding against SQL injection attacks.
The hackers have used a third-party cracking service to hit this site on at least one occasion. Each time, they do something different to/with the site. This site only uses PayPal, so no customer data is stored on-site. They have replaced the email address that is sent to PayPal to identity the seller account to credit the payment to, but customer never seem to be able to actually PAY (hacker probably does not have a PayPal account).
One remaining possibility is a key logger on their store computer. I will be putting that through the ringer in a couple of days.
Of course, the hosting provider will have nothing to do with this issue. They did a "scan" that only found 5 of the 21 dirty files (not counting directories) created by, replaced or deleted by the hacker. They keep telling me to pay for the "site lock" service, which appears to be totally useless and a complete waste of money.
I'd love to find a comprehensive "anti-hacker cookbook" that addresses security in shared hosting situations in great detail and has lots of good examples. Is there such a thing?
来源:https://stackoverflow.com/questions/17824482/placing-the-php-application-folder-above-public-html