Zend Framework - no public folder

I'm going to host an app on a shared host and there I couldn't create virtual host or change something at apache.

Often apps with ZF looks like that:

• root
• • public
• • • index.php
• • • .htaccess
• • application
• • library

I have sth. like that:

• root
• • application
• index.php
• .htaccess

All my code is in the application folder. But there are also some .ini and .xml files with sensitive information e.g. login names and passwords and so on...

If I add a .htaccess in the application folder with开发者_开发知识库 deny from all is the information secure inside the folder?

I wrote about this recently at http://akrabat.com/zend-framework/zend-framework-on-a-shared-host/.

The basics are:

Create an index.php in the root folder:

<?php 
define('RUNNING_FROM_ROOT', true);
include 'public/index.php';

Create a .htaccess file in the root folder:

SetEnv APPLICATION_ENV production

RewriteEngine On
RewriteRule .* index.php 

Maybe set the APPLICATION_ENV to development whilst testing :)

Be aware that when referencing static files the baseUrl() view helper now points to your root folder not your public/ folder.

You can keep the usual directory structure on shared hosting. Just change the document root with .htaccess. I do it like this when dealing with a shared hosting:

RewriteEngine On

php_value upload_max_filesize 15M
php_value post_max_size 15M
php_value max_execution_time 200
php_value max_input_time 200
# Exclude some directories from URI rewriting
#RewriteRule ^(dir1|dir2|dir3) - [L]

RewriteRule ^\.htaccess$ - [F]

RewriteCond %{REQUEST_URI} =""
RewriteRule ^.*$ /public/index.php [NC,L]

RewriteCond %{REQUEST_URI} !^/public/.*$
RewriteRule ^(.*)$ /public/$1

RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^.*$ - [NC,L]

RewriteRule ^public/.*$ /public/index.php [NC,L]

If I add a .htaccess in the application folder with deny from all is the information secure inside the folder?

It's not an ideal solution because if the provider would change the way .htaccess files are parsed (which they never will on a production machine, it would have to be a bad accident if that happened) but I guess it's the best you can get if there's no non-public directory.

If you can (I don't know whether ZF supports it), rename the xml and ini files to .php. That way, even if the protection is removed, they would get parsed as PHP files instead of being served to the public. It's a bit paranoid but if it's doable without much hassle, not a bad idea.

Do you only have access to the public directory on the virtual host? Usually hosts give you access to at least one directory above that, in which case a much better solution would be to create a folder there into which you put your application. You would then symlink the public vhost directory into the public directory of your app. Failing that, you could at least keep your configuration files outside of your vhost's public directory, since you can easily tell ZF where they are located.

If you absolutely can't do either of these things then you will have to use a file structure like the one you suggested. Assuming your sensitive ini/XML files are for use with Zend_Config, the component also supports PHP arrays for configuration (see example #1 at http://framework.zend.com/manual/en/zend.config.introduction.html ). This would be a slightly more secure option for you, as on the off chance your htaccess file wasn't working, your sensitive data wouldn't be viewable as long as PHP files were still being parsed as PHP.