为什么我不将我的PHP文件放在public_html文件夹中？

Question

Some days ago someone criticize me about putting my application scripts inside public_html folder. Until then I thought that the the 755 file permission would be enough to keep my code from being read instead of executing.

I don't like the idea that nowadays a lest half of our application logic is public for the eyes in the form of JavaScript and they come from the public folder. But what is the real threat about the PHP scripts?

Answer 1

The difference is typically that JavaScript code is untrusted code (or at least it should be, since it's running on the client), whereas PHP code is usually considered trusted code (since it runs on the server where it can't be directly interfered with by users).

As such, someone discovering a hole in PHP source often has access to much greater privileges if they can exploit it than someone who discovers a hole in JavaScript code, since they can get PHP to run something server-side.

Now, while security through obscurity should not be your primary means of securing your code - it's always best to not have security holes in the first place - it's also generally not a good idea to make it easier for an attacker to locate a hole that somehow got introduced. Keeping things out of the non-script serving root helps prevent accidents ("oops, I accidentally disabled PHP, everyone who requests a page gets the source code instead") from occurring.

Furthermore, server-side files may include things like configuration data that is not meant to be public - internal network addresses, database info, et cetera (though it's also a good idea to keep things like credentials separate from your PHP code as well).