Best way to set the PHP include path in Apache and IIS

I have a PHP 5.2 application that runs under Apache, IIS and PHP-CLI.

I need to define the include path in such a way that it will be automatically loaded by PHP in each of these environments - but ONLY for this application, not for applications in other directories. The PHP 5.3 solution of custom php.ini files is not an option because we are still on PHP 5.2.

So far, I have the following solutions:

- Apache: Use SetEnv in .htaccess
- IIS: Set the value in the registry under "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PHP\Per Directory Values"
- PHP-CLI / PHPUnit: Use php -d "include_path=C:\inc1'"

Are these the best choices? Any other recommendations that would simplify this?

The one solution I do not want to do is to create a master include file that tries to figure out where it's running. The reason is that my app runs across numerous different directories, and so would need the master include file in order to find the master include file, which defeats the purpose.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shinesh PremrajanEngineering ManagerCommented:
You can try using the .htacess. This will  work for each application and each one as a separate entity.

Hope this helps
JimBeveridgeAuthor Commented:

As I said in my question, I had already selected .htaccess as my solution for Apache. Are you adding something to that? And why do you believe .htaccess is useful for IIS and PHP-CLI?
Shinesh PremrajanEngineering ManagerCommented:
Well i thought just for Apache, .htaccess wont work in IIS, there you need to set it using web.config file.
.htaccess if easy to maintain, and the changes made wont affect other applications running on the same server.
.htaccess is not accessible to outside world.

in case of other options, if in case you need to change/add a new application, then you need to recompile all. while in this case its not needed.

Hope this helps
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Dave BaldwinFixer of ProblemsCommented:
What are you trying to 'include'?  There is the 'set_include_path ( )' function which covers where the require(), include(), fopen(), file(), readfile() and file_get_contents() functions look for files.  If that's the case, your files should be under the path of the PHP application.  Note that the 'include path' isn't for PHP extensions or system files that are part of the PHP interpreter.  Most PHP code that I have seen just uses file paths relative to the current file without any need for the 'include path'.
JimBeveridgeAuthor Commented:

You say that "Most PHP code that I have seen just uses file paths relative to the current file." However, I've tried that technique and it breaks rather quickly with nested include files. See

If you put the include files underneath the php application as you also suggest, then they can be served by your web server if you make a configuration mistake. Moving your include directory elsewhere is a standard security practice - for example, see

However, even if I weren't moving the include directory elsewhere, it still doesn't help very much.  The application root typically provides a well-known location from which all other paths can be easily derived. However, the app root can be hard to find. (See Also, the concept of app root does not exist under PHP-CLI, so I need a different solution for unit testing. (I do unit testing on both IIS and on Apache, so I can't just hardcode a value in my unit tests.)

So I'm not sure what value I get from set_include_path(). Either I have to copy the set_include_path() statement into every single php file, including code to determine the correct path (bad idea), or I need to have a master include file, and I've already described the problem with that.

All of which gets me back to where I started, which is why I want to have the root location of the include directory defined by something other than the PHP files, such as .htaccess with Apache. That solution works well, but my proposals for IIS and PHP-CLI solutions seem a little more dodgy.

I see from your profile that you have a substantial amount of experience in PHP, so maybe I'm missing something here? I'm an expert software developer with 30+ years experience, but my experience in PHP is limited.
Dave BaldwinFixer of ProblemsCommented:
I'm certainly not against what you're trying to do and I understand why.  While I do ok in PHP, I'd have to say I'm a lazy developer and what you're talking about sounds like a lot of work for very little result.  If the server is configured wrong, it will expose your main PHP files and it won't work so I hope someone would notice that and fix it.  

And on almost all questions here about using files outside the web root, the question of permissions comes up.  Apache and IIS really don't want you to do that and unless you change it, they normally don't allow the anonymous web user access outside the web root.

If your application is intended to be installed on shared hosting, then you probably have no choice about where your include files will be located.  I read the Drupal article.  It won't work on the shared hosting I'm familiar with because you wouldn't be allowed access.

If you have your own server, I guess you can set permissions so you can put your files where you want them.

If you have an 'installer' for your application, that would probably be the place to set the 'include path' on a per-installation basis.
JimBeveridgeAuthor Commented:
(All servers are dedicated, no problem with permissions.)

I still don't see how your "simplified" solution would work. With nested include files, relative paths break. You can't use them. The only way to solve the problem is to use a hardcoded path to the application's root include directory, which is the problem I'm trying to solve in the first place. Whether or not the include hierarchy is separate is irrelevant.
Dave BaldwinFixer of ProblemsCommented:
As I think about all the different Apache and IIS installations I have or have worked with, I think you have to simply choose how and where your application will be installed and limit it to that.  If you are dealing with both Windows and Linux, then you could have two different locations because of the difference in file systems.

What you're doing is probably more complicated than anything I would do anyway.  I wouldn't nest include files and would minimize the number of directories I used.
Beverley PortlockCommented:
Remember that there are two file systems involved here

1) Via Apache and access limited to everything in the web root

2) Via the O/S and PHP (fopen, include, etc) with virtually unlimited access

Putting include files outside the web root is indeed a good move, but PHP always needs to be able to read the files in question, but anbody putting a malicious PHP script inside the web root can always read everything outside the web root unless you enforce open_basedir.

As to the point about include files I would agree with DaveBaldwin that nesting them is a bad idea, but if they have to be nested then use include_once rather than include. For myself, I use relative paths and use the PHP autoloader where possible.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ray PaseurCommented:
Somewhere along the line you may want to know about the PHP defined constant DIRECTORY_SEPARATOR.  Too bad it is so long a constant name.  However it is very useful in cross-platform URL paths.
JimBeveridgeAuthor Commented:
Thanks for the solution. With autoload, I can effectively implement a custom include path that's not dependent on the relative position of files.
JimBeveridgeAuthor Commented:

I missed your second response about web.config, which was very helpful to me. I have created a second question in the PHP section to award you points.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.