Solved

Should I put includes folder outside webroot?

Posted on 2013-01-31
6
328 Views
Last Modified: 2013-02-01
Hi,

I have a web application that is accesible over the internet!
I have a folder (named "includes") and it contains all php function (functions, connections to mysql db) that I wrote!

As a security measure I would like to know if is better to put includes folder outside webroot or should I let the folder inside the webroot! Is this measure a must?

And if it's more secure to put the folder outside the webroot, how can I access php function files in a secure way?

Thank you!
0
Comment
Question by:Qw M
  • 3
  • 2
6 Comments
 
LVL 55

Expert Comment

by:Julian Hansen
ID: 38839166
There are arguments for and against this.

Personally I structure my includes so they can live anywhere but I usually keep them in the webroot because it makes moving the site around easier.

What I do do is the following at the top of each include

<?php
defined('_AUTH') or die('Restricted access');
...?>

If _AUTH is not defined the script terminates so an attempt to browse the included file will not yield anything.
0
 

Author Comment

by:Qw M
ID: 38839434
What is _AUTH? And how should be defined?

Thank you!
0
 
LVL 55

Accepted Solution

by:
Julian Hansen earned 500 total points
ID: 38840139
_AUTH is a custom define

define('_AUTH',1); // value can be anything

Basically you would define this in your code before including your includes that way the includes will "know" they are being called by your code.

Example

define('_AUTH',1);  // This could also be in a common file that is included first before other includes
require_once(BASE_PATH, '/includes/database.php'); 

Open in new window

Then in the database.php file
<?php
defined('_AUTH') or die('Restricted access');
// rest of your include code here
?>

Open in new window

BASE_PATH is also a custom define - I use it to abstract the install location of my includes so that I can put the includes anywhere in the filesystem (in or out of the web-root) - I usually define it in the config file.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 38840921
You should name all your include files with a '.php' extension so they will be run thru the PHP interpreter and not just delivered as text files.

Also, if these are intended to be used on shared web hosting, there are many hosting companies that do not allow access outside the web root.
0
 

Author Closing Comment

by:Qw M
ID: 38843160
Thank you!
0
 
LVL 55

Expert Comment

by:Julian Hansen
ID: 38843482
You are welcome.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
The viewer will learn how to dynamically set the form action using jQuery.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question