How to move and access a folder outside of the root folder

Posted on 2016-09-06
Last Modified: 2016-09-06
I have a connections folder that has a php file with the database connection details in it and then I include this file in any pages that require a database connection. I have heard that it is a good idea to move that folder out of the root but I don't know exactly where you would put it and how you would access it?

For example, I now have: ../connections/db.php

What would I change that to?

I am currently using a .htaccess file in the folder itself that has:

Options -Indexes

But, I think that moving the folder out of the root might be more secure?
Question by:Black Sulfur
  • 2
LVL 34

Assisted Solution

gr8gonzo earned 250 total points
ID: 41786640
Any file that sits anywhere within the document root is web-accessible. That means people can hit that file via a URL. So let's say you had a site called and your site's folder structure looks like:

/                     <-- Site root folder
        /public_ftp          <-- FTP folder, not web-accessible
        /mail                <-- Mail folder, not web-accessible
        /public_html         <-- Document root folder (
                    /images  <-- Images folder (
                    /css     <-- CSS folder (

Open in new window

So if you had a file called "foobar.php" inside your public_html folder (your document root), then it could be accessed via the web at "".

That said, when you access a file via the web, the web server is usually configured to process files differently based on their file extension. So let's say you had two files:

<?php $database_password = "53cr3t!123"; ?>

Open in new window

<?php $database_password = "53cr3t!123"; ?>

Open in new window

If you visited each one of those, you'd get different results: would show you the raw contents of the file, like this:
<?php $database_password = "53cr3t!123"; ?>

Open in new window

However, would result in a blank web page because the web server would see the .php extension and run the code through the PHP engine and spit out the results. Since there's no output in the results, nobody would be able to see the PHP code with the password in it.

Now, part of security is ensuring you don't expose more than you need to. For example, if a malicious hacker wants to break into your site, one of the first things they'll do is figure out what URLs you have and what information that tells them about what files are there. So if there are any visible references or URLs for "myfile.php", then the hacker has a good idea that myfile.php exists in your document root. If he or she discovers a way to access the code but needs a filename, then the hacker now has the two pieces needed, and can therefore access that code. If you move content outside of the document root, it usually becomes less visible, and therefore safer, even if it is processed by an engine like PHP.

There's no guarantee that moving a file outside the document root will protect you completely - your job with security is to make it hard enough for a malicious hacker that they decide to move onto easier targets (when applicable). So moving files outside the document root is just an incremental step, but a good one. In the above example scenario, you might move a file with sensitive details to the site's root folder (different than the document root), which is /
LVL 108

Accepted Solution

Ray Paseur earned 250 total points
ID: 41786708
My shared host provides this kind of directory structure.
/account                   <-- Site root folder
    /public_html           <-- Document root folder
        /demo              <-- Demonstration folder

Open in new window

And I add something like this to my index.php file in the public_html directory

Open in new window

The common.php file has all my credentials, local classes and functions, and other fun stuff.  With this in place, the structure now looks like this.
/account                   <-- Site root folder
    common.php             <-- DB credentials, etc
    /public_html           <-- Document root folder
        /demo              <-- Demonstration folder

Open in new window

You can do this for your database credentials, but as @gr8gonzo points out, the PHP parser will get control of any HTTP request to PHP files, and they will be parsed, so there is little likelihood that they can expose any information, since all they do is set variable values.

Where this becomes a more valuable idea... When you want to put other information assets online that you generally want to protect, but for authorized individuals you want to expose the information.  Imagine a photo gallery that sells images.  You can use client authentication to protect the page that accesses the gallery of images.  Part of the authentication process can associate your users with the images they have purchased.  The users will visit a script that will find their images in a directory that is above the web root.  Now the structure looks like this.
/account                   <-- Site root folder
    common.php             <-- DB credentials, etc
    /gallery               <-- Image resources
    /public_html           <-- Document root folder
        /demo              <-- Demonstration folder

Open in new window


Author Comment

by:Black Sulfur
ID: 41786772
Intersting. So you are saying that:


Open in new window

will work even though common.php is outside of the public_html folder?
LVL 108

Expert Comment

by:Ray Paseur
ID: 41786799

When you see /path/to/file that is an absolute path. Starting from the server's root, it's followed down to the file. With just /file that means that you're looking directly in the server's root.

Whenever you do not have a leading slash, the path is taken as relative.  This means that, starting from your current point in the file system, you follow the path, so ../file would mean to look in the parent directory for the file.

Your server's hosting structure may be in play here.  If you have access to an account directory that is above public_html, this is a workable strategy.

Generally speaking:
/ means the root, like public_html
./ means the current working directory
../ means the parent of the current directory

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Stream live video from Raspberry Pi camera 22 112
Sort Multidimensional Array 11 34
phpmyadmin 3 32
Access Object's Property 9 22
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now