It is a common practice to place the php script (in my case, mysql_connect.php) that connects to the database outside your web-root folder so no one can access it from the web.

It just came to me that to improve my security why not place all my script outside the the web-root and leave only html/css with include linked to these scripts?

I know that php itself does not display in a web browser, so am I being paranoid? What's your it on this? Any technical problems I did not see in this?

if ipb and vb have their include files in a ubfolder, i'm sure you'd be fine doing the same thing. even if somebody did download those files, it probably would only give them a blank page or something similar since the source can't actually be downloaded, just the page that is displayed. i really don't see any need to be doing that.

Quote:

Originally Posted by PureEvil

if ipb and vb have their include files in a ubfolder, i'm sure you'd be fine doing the same thing. even if somebody did download those files, it probably would only give them a blank page or something similar since the source can't actually be downloaded, just the page that is displayed. i really don't see any need to be doing that.

I'm not talking about right click--> Save Page As..but probably more subtle PHP/Javascript/whatever injections that not quite close to total server access(you're in big trouble than). Through PHP injections hackers sometimes can download all your code (just like you, the webmaster might download it from the host) that's placed within the webroot however not outside the webroot.

PHP is a server-side script therefore it does all the processes on the server than write html code accordingly which is than displayed in your browser so of course there is no PHP.