The attachment file path is the location on your server that you wish to store attachments in.
We suggest you create a path that is above your web root, which means a directory that is not below public_html.
If you wish to create the directory in your web root, we then suggest you place a .htaccess file to block people from accessing it directly. If you do not do this, then anyone will be able to open your attachments directly by navigating this directory in their browser.
This directory must be writable by PHP, which generally means it must either be owned by the same user that your web server is running under or set to permissions 0777 or Global Read/Write on Windows Systems. Please refer to your system documents to find out how to set these permissions.
Please use the full qualified path name to this directory.
In Red: I’ve create a directory that ABOVE/not in the public_html, it’s call MPATT (I also chmod it to 0777)
So what would my path setting look like? /path/to/your/attachment/directory
upload the htaccess file (as shown above) to the folder
refresh your browser; you should get a 500 server error
if you can still access test.txt, your server doesn’t support htacess
This approach provides a reasonable level of security to content below web root. Above web root, htaccess is not needed.
Be aware that attempting to access content in htacess-protected directories via ajax calls will fail. Instead, direct the ajax call to a unprotected file such as proxy.php and use an “include” to retrieve the content you need from the protected directory.
N.B. $_SERVER[‘DOCUMENT_ROOT’] must not have a trailing slash. If it has then the script will require modifications.
At that point, my question would be… whats the functional difference between putting the include files in a directory protected by file permissions and .htaccess that is above public_html, vs. one that is similarly protected below public_html, and why is the former recommended?
After some brief tests I think that there is no way to protect files below the public_html folder.
Can you give me an example of how to set the .htaccess and file permissions that prevent Joe Public from gaining access to files below the public_html folder.
.
Many thanks for the explicit explanation, I have updated the link and surprised that the test.txt file can be included but not accessed from a link. Definitely “food for thought” as to the which method is more appropriate to a particular task.
Just for clarification, because I’ve seen similar recommendations and am heading that direction for my site…
At my hosting provider, I have an account of ‘username’. If I get to my directory through FTP or a web-based file manager, and open up directory ‘/username’, I have all the various and assorted sub-directories, including ‘/username/public_html’. All my web pages and such are below public_html.
If I’m understanding things correctly, if I just put my php include files below public_html and someone correctly guesses the file name they could potentially read the files and any settings (like database login information) in them?
So if I create a directory within ‘/username’ with the appropriate permissions and a .htaccess file in place, my php scripts under ‘/username/public_html’ can still use the include files and such stored there, but outside entities would not be able to reach those files at all.
At that point, my question would be… whats the functional difference between putting the include files in a directory protected by file permissions and .htaccess that is above public_html, vs. one that is similarly protected below public_html, and why is the former recommended?
