Solved

Should I put includes folder outside webroot?

Posted on 2013-01-31
6
327 Views
Last Modified: 2013-02-01
Hi,

I have a web application that is accesible over the internet!
I have a folder (named "includes") and it contains all php function (functions, connections to mysql db) that I wrote!

As a security measure I would like to know if is better to put includes folder outside webroot or should I let the folder inside the webroot! Is this measure a must?

And if it's more secure to put the folder outside the webroot, how can I access php function files in a secure way?

Thank you!
0
Comment
Question by:Qw M
  • 3
  • 2
6 Comments
 
LVL 54

Expert Comment

by:Julian Hansen
ID: 38839166
There are arguments for and against this.

Personally I structure my includes so they can live anywhere but I usually keep them in the webroot because it makes moving the site around easier.

What I do do is the following at the top of each include

<?php
defined('_AUTH') or die('Restricted access');
...?>

If _AUTH is not defined the script terminates so an attempt to browse the included file will not yield anything.
0
 

Author Comment

by:Qw M
ID: 38839434
What is _AUTH? And how should be defined?

Thank you!
0
 
LVL 54

Accepted Solution

by:
Julian Hansen earned 500 total points
ID: 38840139
_AUTH is a custom define

define('_AUTH',1); // value can be anything

Basically you would define this in your code before including your includes that way the includes will "know" they are being called by your code.

Example

define('_AUTH',1);  // This could also be in a common file that is included first before other includes
require_once(BASE_PATH, '/includes/database.php'); 

Open in new window

Then in the database.php file
<?php
defined('_AUTH') or die('Restricted access');
// rest of your include code here
?>

Open in new window

BASE_PATH is also a custom define - I use it to abstract the install location of my includes so that I can put the includes anywhere in the filesystem (in or out of the web-root) - I usually define it in the config file.
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 38840921
You should name all your include files with a '.php' extension so they will be run thru the PHP interpreter and not just delivered as text files.

Also, if these are intended to be used on shared web hosting, there are many hosting companies that do not allow access outside the web root.
0
 

Author Closing Comment

by:Qw M
ID: 38843160
Thank you!
0
 
LVL 54

Expert Comment

by:Julian Hansen
ID: 38843482
You are welcome.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question