Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Should I put includes folder outside webroot?

Posted on 2013-01-31
6
Medium Priority
?
348 Views
Last Modified: 2013-02-01
Hi,

I have a web application that is accesible over the internet!
I have a folder (named "includes") and it contains all php function (functions, connections to mysql db) that I wrote!

As a security measure I would like to know if is better to put includes folder outside webroot or should I let the folder inside the webroot! Is this measure a must?

And if it's more secure to put the folder outside the webroot, how can I access php function files in a secure way?

Thank you!
0
Comment
Question by:Qw M
  • 3
  • 2
6 Comments
 
LVL 60

Expert Comment

by:Julian Hansen
ID: 38839166
There are arguments for and against this.

Personally I structure my includes so they can live anywhere but I usually keep them in the webroot because it makes moving the site around easier.

What I do do is the following at the top of each include

<?php
defined('_AUTH') or die('Restricted access');
...?>

If _AUTH is not defined the script terminates so an attempt to browse the included file will not yield anything.
0
 

Author Comment

by:Qw M
ID: 38839434
What is _AUTH? And how should be defined?

Thank you!
0
 
LVL 60

Accepted Solution

by:
Julian Hansen earned 2000 total points
ID: 38840139
_AUTH is a custom define

define('_AUTH',1); // value can be anything

Basically you would define this in your code before including your includes that way the includes will "know" they are being called by your code.

Example

define('_AUTH',1);  // This could also be in a common file that is included first before other includes
require_once(BASE_PATH, '/includes/database.php'); 

Open in new window

Then in the database.php file
<?php
defined('_AUTH') or die('Restricted access');
// rest of your include code here
?>

Open in new window

BASE_PATH is also a custom define - I use it to abstract the install location of my includes so that I can put the includes anywhere in the filesystem (in or out of the web-root) - I usually define it in the config file.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 38840921
You should name all your include files with a '.php' extension so they will be run thru the PHP interpreter and not just delivered as text files.

Also, if these are intended to be used on shared web hosting, there are many hosting companies that do not allow access outside the web root.
0
 

Author Closing Comment

by:Qw M
ID: 38843160
Thank you!
0
 
LVL 60

Expert Comment

by:Julian Hansen
ID: 38843482
You are welcome.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses how to create an extensible mechanism for linked drop downs.
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to dynamically set the form action using jQuery.
Suggested Courses

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question