Solved

Should I put includes folder outside webroot?

Posted on 2013-01-31
6
320 Views
Last Modified: 2013-02-01
Hi,

I have a web application that is accesible over the internet!
I have a folder (named "includes") and it contains all php function (functions, connections to mysql db) that I wrote!

As a security measure I would like to know if is better to put includes folder outside webroot or should I let the folder inside the webroot! Is this measure a must?

And if it's more secure to put the folder outside the webroot, how can I access php function files in a secure way?

Thank you!
0
Comment
Question by:Qw M
  • 3
  • 2
6 Comments
 
LVL 51

Expert Comment

by:Julian Hansen
ID: 38839166
There are arguments for and against this.

Personally I structure my includes so they can live anywhere but I usually keep them in the webroot because it makes moving the site around easier.

What I do do is the following at the top of each include

<?php
defined('_AUTH') or die('Restricted access');
...?>

If _AUTH is not defined the script terminates so an attempt to browse the included file will not yield anything.
0
 

Author Comment

by:Qw M
ID: 38839434
What is _AUTH? And how should be defined?

Thank you!
0
 
LVL 51

Accepted Solution

by:
Julian Hansen earned 500 total points
ID: 38840139
_AUTH is a custom define

define('_AUTH',1); // value can be anything

Basically you would define this in your code before including your includes that way the includes will "know" they are being called by your code.

Example

define('_AUTH',1);  // This could also be in a common file that is included first before other includes
require_once(BASE_PATH, '/includes/database.php'); 

Open in new window

Then in the database.php file
<?php
defined('_AUTH') or die('Restricted access');
// rest of your include code here
?>

Open in new window

BASE_PATH is also a custom define - I use it to abstract the install location of my includes so that I can put the includes anywhere in the filesystem (in or out of the web-root) - I usually define it in the config file.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 38840921
You should name all your include files with a '.php' extension so they will be run thru the PHP interpreter and not just delivered as text files.

Also, if these are intended to be used on shared web hosting, there are many hosting companies that do not allow access outside the web root.
0
 

Author Closing Comment

by:Qw M
ID: 38843160
Thank you!
0
 
LVL 51

Expert Comment

by:Julian Hansen
ID: 38843482
You are welcome.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

These days socially coordinated efforts have turned into a critical requirement for enterprises.
This article discusses four methods for overlaying images in a container on a web page
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now