We are moving our forum in GitHub Discussions. For questions about Phalcon v3/v4 you can visit here and for Phalcon v5 here.

Protect ini files


my whole sensitive config like db connection params is in confi.ini file. Maybe someone has already written .htaccess to prevent ini files from reading?

Thank you

edited Oct '14

Ideally you would not have the configuration files in the public web directory, it should be outside it. Your entire application (typically 'app' dir) should be outside the public directory. The bootstrap index.php file, and all static resources like CSS, JS, images, etc should be the only files in the public directory.

I can't do that because of server configuration. Ftp server is chrooted me at public_html.

edited Oct '14

In that case you might be best using a .php file for the configuration, rather than a .ini

But if absolutely neccessarry, you can block access to the configuration directory by adding

deny from all

to your .htaccess If that doesn't work, just do

order deny,allow

deny from all