Qw M
asked on
Should I put includes folder outside webroot?
Hi,
I have a web application that is accesible over the internet!
I have a folder (named "includes") and it contains all php function (functions, connections to mysql db) that I wrote!
As a security measure I would like to know if is better to put includes folder outside webroot or should I let the folder inside the webroot! Is this measure a must?
And if it's more secure to put the folder outside the webroot, how can I access php function files in a secure way?
Thank you!
I have a web application that is accesible over the internet!
I have a folder (named "includes") and it contains all php function (functions, connections to mysql db) that I wrote!
As a security measure I would like to know if is better to put includes folder outside webroot or should I let the folder inside the webroot! Is this measure a must?
And if it's more secure to put the folder outside the webroot, how can I access php function files in a secure way?
Thank you!
ASKER
What is _AUTH? And how should be defined?
Thank you!
Thank you!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You should name all your include files with a '.php' extension so they will be run thru the PHP interpreter and not just delivered as text files.
Also, if these are intended to be used on shared web hosting, there are many hosting companies that do not allow access outside the web root.
Also, if these are intended to be used on shared web hosting, there are many hosting companies that do not allow access outside the web root.
ASKER
Thank you!
You are welcome.
Personally I structure my includes so they can live anywhere but I usually keep them in the webroot because it makes moving the site around easier.
What I do do is the following at the top of each include
<?php
defined('_AUTH') or die('Restricted access');
...?>
If _AUTH is not defined the script terminates so an attempt to browse the included file will not yield anything.