Solved

Should I put includes folder outside webroot?

Posted on 2013-01-31
6
333 Views
Last Modified: 2013-02-01
Hi,

I have a web application that is accesible over the internet!
I have a folder (named "includes") and it contains all php function (functions, connections to mysql db) that I wrote!

As a security measure I would like to know if is better to put includes folder outside webroot or should I let the folder inside the webroot! Is this measure a must?

And if it's more secure to put the folder outside the webroot, how can I access php function files in a secure way?

Thank you!
0
Comment
Question by:Qw M
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 57

Expert Comment

by:Julian Hansen
ID: 38839166
There are arguments for and against this.

Personally I structure my includes so they can live anywhere but I usually keep them in the webroot because it makes moving the site around easier.

What I do do is the following at the top of each include

<?php
defined('_AUTH') or die('Restricted access');
...?>

If _AUTH is not defined the script terminates so an attempt to browse the included file will not yield anything.
0
 

Author Comment

by:Qw M
ID: 38839434
What is _AUTH? And how should be defined?

Thank you!
0
 
LVL 57

Accepted Solution

by:
Julian Hansen earned 500 total points
ID: 38840139
_AUTH is a custom define

define('_AUTH',1); // value can be anything

Basically you would define this in your code before including your includes that way the includes will "know" they are being called by your code.

Example

define('_AUTH',1);  // This could also be in a common file that is included first before other includes
require_once(BASE_PATH, '/includes/database.php'); 

Open in new window

Then in the database.php file
<?php
defined('_AUTH') or die('Restricted access');
// rest of your include code here
?>

Open in new window

BASE_PATH is also a custom define - I use it to abstract the install location of my includes so that I can put the includes anywhere in the filesystem (in or out of the web-root) - I usually define it in the config file.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 38840921
You should name all your include files with a '.php' extension so they will be run thru the PHP interpreter and not just delivered as text files.

Also, if these are intended to be used on shared web hosting, there are many hosting companies that do not allow access outside the web root.
0
 

Author Closing Comment

by:Qw M
ID: 38843160
Thank you!
0
 
LVL 57

Expert Comment

by:Julian Hansen
ID: 38843482
You are welcome.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question