• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1150
  • Last Modified:

How to move and access a folder outside of the root folder

I have a connections folder that has a php file with the database connection details in it and then I include this file in any pages that require a database connection. I have heard that it is a good idea to move that folder out of the root but I don't know exactly where you would put it and how you would access it?

For example, I now have: ../connections/db.php

What would I change that to?

I am currently using a .htaccess file in the folder itself that has:

Options -Indexes

But, I think that moving the folder out of the root might be more secure?
0
Black Sulfur
Asked:
Black Sulfur
  • 2
2 Solutions
 
gr8gonzoConsultantCommented:
Any file that sits anywhere within the document root is web-accessible. That means people can hit that file via a URL. So let's say you had a site called abc.com and your site's folder structure looks like:

/abc.com                     <-- Site root folder
        /public_ftp          <-- FTP folder, not web-accessible
        /mail                <-- Mail folder, not web-accessible
        /public_html         <-- Document root folder (http://www.abc.com)
                    /images  <-- Images folder (http://www.abc.com/images)
                    /css     <-- CSS folder (http://www.abc.com/css)

Open in new window


So if you had a file called "foobar.php" inside your public_html folder (your document root), then it could be accessed via the web at "http://www.abc.com/foobar.php".

That said, when you access a file via the web, the web server is usually configured to process files differently based on their file extension. So let's say you had two files:

/abc.com/public_html/details.txt:
<?php $database_password = "53cr3t!123"; ?>

Open in new window


/abc.com/public_html/myfile.php
<?php $database_password = "53cr3t!123"; ?>

Open in new window


If you visited each one of those, you'd get different results:
http://www.abc.com/details.txt would show you the raw contents of the file, like this:
<?php $database_password = "53cr3t!123"; ?>

Open in new window


However, http://www.abc.com/myfile.php would result in a blank web page because the web server would see the .php extension and run the code through the PHP engine and spit out the results. Since there's no output in the results, nobody would be able to see the PHP code with the password in it.

Now, part of security is ensuring you don't expose more than you need to. For example, if a malicious hacker wants to break into your site, one of the first things they'll do is figure out what URLs you have and what information that tells them about what files are there. So if there are any visible references or URLs for "myfile.php", then the hacker has a good idea that myfile.php exists in your document root. If he or she discovers a way to access the code but needs a filename, then the hacker now has the two pieces needed, and can therefore access that code. If you move content outside of the document root, it usually becomes less visible, and therefore safer, even if it is processed by an engine like PHP.

There's no guarantee that moving a file outside the document root will protect you completely - your job with security is to make it hard enough for a malicious hacker that they decide to move onto easier targets (when applicable). So moving files outside the document root is just an incremental step, but a good one. In the above example scenario, you might move a file with sensitive details to the site's root folder (different than the document root), which is /abc.com.
1
 
Ray PaseurCommented:
My shared host provides this kind of directory structure.
/account                   <-- Site root folder
    /public_html           <-- Document root folder https://iconoun.com
        /demo              <-- Demonstration folder https://iconoun.com/demo/

Open in new window

And I add something like this to my index.php file in the public_html directory
require_once('../common.php');

Open in new window

The common.php file has all my credentials, local classes and functions, and other fun stuff.  With this in place, the structure now looks like this.
/account                   <-- Site root folder
    common.php             <-- DB credentials, etc
    /public_html           <-- Document root folder https://iconoun.com
        /demo              <-- Demonstration folder https://iconoun.com/demo/

Open in new window

You can do this for your database credentials, but as @gr8gonzo points out, the PHP parser will get control of any HTTP request to PHP files, and they will be parsed, so there is little likelihood that they can expose any information, since all they do is set variable values.

Where this becomes a more valuable idea... When you want to put other information assets online that you generally want to protect, but for authorized individuals you want to expose the information.  Imagine a photo gallery that sells images.  You can use client authentication to protect the page that accesses the gallery of images.  Part of the authentication process can associate your users with the images they have purchased.  The users will visit a script that will find their images in a directory that is above the web root.  Now the structure looks like this.
/account                   <-- Site root folder
    common.php             <-- DB credentials, etc
    /gallery               <-- Image resources
    /public_html           <-- Document root folder https://iconoun.com
        /demo              <-- Demonstration folder https://iconoun.com/demo/

Open in new window

0
 
Black SulfurAuthor Commented:
Intersting. So you are saying that:

require_once('../common.php');

Open in new window


will work even though common.php is outside of the public_html folder?
0
 
Ray PaseurCommented:
Yes.

When you see /path/to/file that is an absolute path. Starting from the server's root, it's followed down to the file. With just /file that means that you're looking directly in the server's root.

Whenever you do not have a leading slash, the path is taken as relative.  This means that, starting from your current point in the file system, you follow the path, so ../file would mean to look in the parent directory for the file.

Your server's hosting structure may be in play here.  If you have access to an account directory that is above public_html, this is a workable strategy.

Generally speaking:
/ means the root, like public_html
./ means the current working directory
../ means the parent of the current directory
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now