System and Application folder locations

[eluser]tomdelonge[/eluser]
I always like to move my application folder to be even with my system folder. Is it a good idea to move both the system folder and the application folder out of the webroot? Basically just leave index.php, .htaccess, and images, css, and javascript? Does anyone else do that? I figure that way, there's less possibilities for someone to access the scripts.

Does it matter?

[eluser]Johan André[/eluser]
Out of the webroot is GOOD for security.

[eluser]bretticus[/eluser]
CI convention dictates using

if ( ! defined('BASEPATH')) exit('No direct script access allowed');

which provides security as long as your webserver can parse php. If, by chance, your php module were to be turned off somehow, all your source code would be readable by the whole wide world (I've seen this happen loads of times in the past several years.)

I agree that putting your system and application folders outside of virtual root is very sound security practice. It's also very easy to change your paths under index.php to boot.

In fact, why not go even further and stick your ci core code (system folder sans application) somewhere and add it to your php include path via php.ini? Then put your individual application folders just outside their respective virtual roots (as you already do apparently.)

[eluser]Dam1an[/eluser]
I agree, putting the application and core folders out of the web root is the way to go, although not everyone has access above the web root, in which case the next line of defense is to put the define basepath check in all your files (why is that not at the start of the welcome controller?)

[eluser]wowdezign[/eluser]
I too place my application and system folders outside of the webroot.