Serendipity Forums

I have a site that contains a MediaWiki, and one of the things they suggest when it comes to their LocalSettings.php (similar to s9y's serendipity_config_local.inc.php) to make it a little more secure is to create a separate PHP file outside of the webroot with the database connection settings and call to it with a require_once.

Is that something that might be a good idea for s9y? Would it be possible to do it as the code currently stands?

What are your thoughts?

(Here's a link to their suggestion: https://www.mediawiki.org/wiki/Manual:S ... _passwords )

EDIT: I do see that in the .htaccess, there is a denial to all requests for .inc.php. That protects the file, but I just wonder if the above practice would be just as effective, more effective, or less. I guess this is just an invitation to a broader discussion of "best practice" or preference...

I think it would be more effective, security-wise. Instead of relying on .htaccess you'd get the access restriction right out of the box.

The relevant code start in https://github.com/s9y/Serendipity/blob ... c.php#L263. There we'd have to include the config_local in the new location.

The main problem to apply this generally is that it is something we can't do for existing installations. At least I can't think of an upgrade scheme right now that would allow moving the config out of the webroot, and to do so realiable on all possible server configs.

But I see no harm in applying this on your own installation. Just change the include path for that file to a directory outside the webroot that the webserver can read.