我见过的建议来存储部分或全部的PHP文件包括一些其他地方比在web文档根目录（用户名/的public_html在我的情况）来保护PHP文件，敏感信息（比如数据库连接，具体原因登录信息）在事件Web服务器打嗝停止保护PHP文件，他们就成为看得见到谁知道去哪里找外地人。

I've seen recommendations to store some or all php include files some place other than in the web document root directory (username/public_html in my case) for the specific reason of protecting php files with sensitive information (like database connection and login info) in the event that the web server hiccups and stops protecting php files and they become 'visible' to outsiders who know where to look.

这似乎有些偏执给我，但我猜人们已经变得严重烧伤，在这之前，所以我愿意走。该建议通常需要具有类似../include_files/，因此它不能直接在文档根目录，而不是直接访问通过Web服务器外人包含文件的形式。

It seems somewhat paranoid to me, but I'm guessing people have gotten burned badly on this before so I'm willing to go along. The suggestion usually takes the form of having the include files in something like '../include_files/' so its not directly in the document root and not directly accessible to outsiders through the web server.

我的问题是：是否有与安全显著的差异那样，只是把你的'include_files目录下的文档根目录，并在那里坚持.htaccess文件（用适当的条目）？难道把.htaccess文件中../include_files/作出任何显著改善的 ？

My question is this: is there a significant difference in security between that way and just putting your 'include_files' directory under the document root and sticking an .htaccess file in there (with the appropriate entries)? Would putting an .htaccess file in '../include_files/' make any significant improvement there?

TIA，

蒙

推荐答案

使用的.htaccess增加了开销，因为阿帕奇有它需要检查和处理的另一个项目。

Using .htaccess adds overhead since Apache has another item it needs to check for and process.

保持文件从Web根目录是不是偏执狂，这是很好的做法。如果有人直接访问的包括文件中的一个，会发生什么，它抛出，因为没有加载所有的pre-必要的文件揭示的错误？

Keeping files out of web root isn't being paranoid, it's good practice. What happens if someone accesses one of the "include" files directly and it throws out revealing errors because all the pre-requisite files weren't loaded?

每个文件都需要有它自己的安全检查，以确保其预期的环境下运行。在网络访问区，每个可执行文件是一个潜在的安全漏洞。

Each file needs to have it's own security checks to make sure it is running under the expected environment. Each executable file in a web accessible area is a potential security hole.