I've searched around for this answer, and have found a few "solutions", but I don't think I quite understand how to accomplish this. I just finished a query-mobile site that has 11 different PHP files for mailing form submittals. This being my first mobile "site", I wasn't too concerned with security at first, more functionality. Well, now that everything is functioning properly, I need to worry about locking it down. Those 11 PHP files are located in the same directory as all of my HTML files, and they contain the SMTP creds for submitting the email. Some of the solutions I've found say to locate those files outside of the webroot, but how would I reference them in my form action? Does this mean that I should just create a subfolder under the root and place them there and reference them instead of
<form method="post" action="bp-mail.php" enctype="multipart/form-data" data-ajax="false">
but now like
<form method="post" action="/scripts/bp-mail.php" enctype="multipart/form-data" data-ajax="false">
...or do they need to be located in a directory "above" the root in the webserver? If a subfolder is where they should go, what type of permissions should I place on the directory to allow the html pages to still call them, but not allow someone with some site-ripping software from grabbing them? If above the root, how should the path syntax be in the the form code?