Included file above web directory on another domain

I have two domains: and

I was successfully able to include : /home/example_com_user_name/directory/config.php’ on from

This was done by putting this into’s .htaccess file.:

SetEnv PHPRC /home/example_com_user_name/directory/php.ini

Inside :/home/example_com_user_name/directory/php.ini’ is

 auto_prepend_file =  /home/example_com_user_name/directory/config.php 

I thought files above the public_html were not accessible. This seems like a huge security risk IMHO.

Other info. Both domains are on the same reseller hosting account. also has wildcard sub-domains turned on bye the web hosting provider.

Thus automatically goes to unless it is specified differently in the .htaccess.

This is why you can do it. You need to set the root directory and permissions for other accounts to be outside what you don’t want accessible.

Are you referring to chmod permissions of the root directory of each domain? I was lead to believe that files located above the public_html web directory were not available to external request. Is this not true?

They are not available to external request, but they are available to internal request. One of your scripts can include a file above public_html. It cannot be accessed directly from the internet, but it is available for your scripts to use. The domains are hosted on the same account and so they have access to the folders in the account including those above public_html.

This is actually pretty handy because your different sites can share code. For example, you can use the same database class between multiple addon sites.

I have been curious as to whether or not each separate reseller account can access other accounts on the same master reseller account. If I have a reseller account with a host using cPanel and I set up two separate accounts for two different people, would they have access to each other’s files or would they have separate user IDs? Maybe someone can chime in with an answer to that question of mine. :slight_smile:

Sorry, this is what I rwas referring to when stating you should set your document root for each user, if you do not want it to behave this way.