[eluser]PV-Patrick[/eluser]
The config.php resides in the application folder, it's my understanding that the application folder needs to remain in the public_html directory, correct? If that's the case, then placing the system folder above the public_html directory really doesn't do much for the config.php file containing the key.
Let me see if I can explain my thought more specifically.... Let's say in controller x.php I am wanting to access that key via the encrypt functions. x.php is owned or grouped by the webserver/user(apache) - For the config.php to be read, that user will need access to read that file, no matter WHERE it is. Thus, a malicious user that has uploaded a script as the user 'apache', can ALSO read that file. I know there has to be a read obviously, however I guess I am asking what is the safest way to store an encryption key in CI. Directory structure/permissions, etc....
I'll also restate this since I really didn't get an answer, I don't allow it...but at the same time, i've seen it happen maliciously:
Can you elaborate on how I can disallow uploaded scripts to be executed or point me in the direction I can RTFM. tongue laugh Thank you!