Greetings:

A book I have, Essential PHP Security, suggests storing your PHP MySQL login credentials outside of the document root and using include() to, well, include them in your PHP scripts. I have, in the past on another, a less than satisfactory, free host, been able to do this. I cannot see a way to drop out of my document root in the File Manager, is there a way to do this on Zymic? I had an "inc" folder on the other host and simply put my database credentials in a "somefile.auth.inc.php" file which I included in the relevant scripts.

If this isn't possible would changing the group file attributes on the "somefile.auth.inc.php" file be adequate to protect it from hackers even if it stays in the document root? I try to be as careful and as security conscious about user data and website files as is possible on a given host.

Thanks in advance for any information.

Unfortunately this isn't possible on Zymic, what you can do is place your db connection credentials inside a directory which is denied web access, just drop this into a .htaccess in that directory:



Even if the php parser failed and started spitting out your source, the web server still wouldn't allow access to that file.