UBB.threads PHP Forum Software Community Forums UBB.threads 7 Version 7 Support Secure config file

Aren't we supposed to do something to secure the config.inc.php file? Like something in .htaccess or moving it out of the includes directory or tightening permissions? It seemed there used to be two or three recommended steps, but now it seems like we just leave it in includes with the same 0666 permissions as the rest of the includes directory files, according to the installation documentation. Is that right? Is it secure? Doesn't it leave the database user and that user's password open for reading?

Thanks in advance,
Maria

For security reasons, Apache prevents PHP files from being downloaded so that the source code is unreadable, unless there is a server failure while you attempt the download. Normally, you'll only get the HTML output of a PHP file on your local computer as a "gift", not the source code. The config.ini.php contains only PHP code, and no HTML code.

If you locked your config.php file down at the server level with a 444, then it wont be able to be changed through the Control Panel. A CHMOD setting of 644 for that file is advised. The includes directory (IIRC) should be 755. That CHMOD setting will pass within the "Permissions Checks" control panel tool.

though via .htaccess, setting a user/password for your /admin and /templates/default directories is suggested.

Thanks so much for your speedy help! I will take care of those things now.

I have a .htaccess file in directories that the UBB does not embed files from that is:

As there is no user listing it will always deny browsing of the directory. I use this all over my CMS, you'll find through trial and error where to place it (if it pops up when browsing your forums, then you have it in a folder that we're calling files from, such as the libs folder).

Hi Gizmo, thank you for that idea. I've just moved servers and now I'm going to do the update from 7.5.8 to 7.5.9.