I'm not sure this is fair to pin on PHP in a broad way. Many PHP frameworks do not use the application file-structure root as the httpd document root.
For example with a Symfony app:
. - App root
./web/ - httpd doc root
./app/ - app files
./app/config/ - config files
Barring an exploit that lets you break out of the httpd doc root (not saying this is impossible), there is no way to request the config or app files directly.
For example with a Symfony app:
. - App root
./web/ - httpd doc root
./app/ - app files
./app/config/ - config files
Barring an exploit that lets you break out of the httpd doc root (not saying this is impossible), there is no way to request the config or app files directly.