[eluser]Dan Hulton[/eluser]
Your basic CodeIgniter installation looks like:
- index.php
- .htaccess
- /system
This means that all the files in /system are accessable by anyone with some knowledge of CodeIgniter's structure. Heroic measures have been taken to ensure that even though people can access these files, no interesting data will be returned. But why were such heroic measures taken, when the alternative is clear, and far, far simpler:
- /public
--- index.php
--- .htaccess
- /system
Then go into index.php and change the $system_folder variable to "../system". Finally, point your webserver at the new /public directory and voila - no enterprising hackers may access your system folder.
You can take it further, and remove all those wasteful index.html files, and even further still by removing " if ( ! defined('BASEPATH')) exit('No direct script access allowed');" from all your PHP files, but I leave that as an excersize for the reader.
The real question is: Why is this not the format in which CodeIgniter is distributed?