Go Premium for a chance to win a PS4. Enter to Win


How to move and access a folder outside of the root folder

Posted on 2016-09-06
Medium Priority
Last Modified: 2016-09-06
I have a connections folder that has a php file with the database connection details in it and then I include this file in any pages that require a database connection. I have heard that it is a good idea to move that folder out of the root but I don't know exactly where you would put it and how you would access it?

For example, I now have: ../connections/db.php

What would I change that to?

I am currently using a .htaccess file in the folder itself that has:

Options -Indexes

But, I think that moving the folder out of the root might be more secure?
Question by:Black Sulfur
  • 2
LVL 35

Assisted Solution

gr8gonzo earned 1000 total points
ID: 41786640
Any file that sits anywhere within the document root is web-accessible. That means people can hit that file via a URL. So let's say you had a site called abc.com and your site's folder structure looks like:

/abc.com                     <-- Site root folder
        /public_ftp          <-- FTP folder, not web-accessible
        /mail                <-- Mail folder, not web-accessible
        /public_html         <-- Document root folder (http://www.abc.com)
                    /images  <-- Images folder (http://www.abc.com/images)
                    /css     <-- CSS folder (http://www.abc.com/css)

Open in new window

So if you had a file called "foobar.php" inside your public_html folder (your document root), then it could be accessed via the web at "http://www.abc.com/foobar.php".

That said, when you access a file via the web, the web server is usually configured to process files differently based on their file extension. So let's say you had two files:

<?php $database_password = "53cr3t!123"; ?>

Open in new window

<?php $database_password = "53cr3t!123"; ?>

Open in new window

If you visited each one of those, you'd get different results:
http://www.abc.com/details.txt would show you the raw contents of the file, like this:
<?php $database_password = "53cr3t!123"; ?>

Open in new window

However, http://www.abc.com/myfile.php would result in a blank web page because the web server would see the .php extension and run the code through the PHP engine and spit out the results. Since there's no output in the results, nobody would be able to see the PHP code with the password in it.

Now, part of security is ensuring you don't expose more than you need to. For example, if a malicious hacker wants to break into your site, one of the first things they'll do is figure out what URLs you have and what information that tells them about what files are there. So if there are any visible references or URLs for "myfile.php", then the hacker has a good idea that myfile.php exists in your document root. If he or she discovers a way to access the code but needs a filename, then the hacker now has the two pieces needed, and can therefore access that code. If you move content outside of the document root, it usually becomes less visible, and therefore safer, even if it is processed by an engine like PHP.

There's no guarantee that moving a file outside the document root will protect you completely - your job with security is to make it hard enough for a malicious hacker that they decide to move onto easier targets (when applicable). So moving files outside the document root is just an incremental step, but a good one. In the above example scenario, you might move a file with sensitive details to the site's root folder (different than the document root), which is /abc.com.
LVL 111

Accepted Solution

Ray Paseur earned 1000 total points
ID: 41786708
My shared host provides this kind of directory structure.
/account                   <-- Site root folder
    /public_html           <-- Document root folder https://iconoun.com
        /demo              <-- Demonstration folder https://iconoun.com/demo/

Open in new window

And I add something like this to my index.php file in the public_html directory

Open in new window

The common.php file has all my credentials, local classes and functions, and other fun stuff.  With this in place, the structure now looks like this.
/account                   <-- Site root folder
    common.php             <-- DB credentials, etc
    /public_html           <-- Document root folder https://iconoun.com
        /demo              <-- Demonstration folder https://iconoun.com/demo/

Open in new window

You can do this for your database credentials, but as @gr8gonzo points out, the PHP parser will get control of any HTTP request to PHP files, and they will be parsed, so there is little likelihood that they can expose any information, since all they do is set variable values.

Where this becomes a more valuable idea... When you want to put other information assets online that you generally want to protect, but for authorized individuals you want to expose the information.  Imagine a photo gallery that sells images.  You can use client authentication to protect the page that accesses the gallery of images.  Part of the authentication process can associate your users with the images they have purchased.  The users will visit a script that will find their images in a directory that is above the web root.  Now the structure looks like this.
/account                   <-- Site root folder
    common.php             <-- DB credentials, etc
    /gallery               <-- Image resources
    /public_html           <-- Document root folder https://iconoun.com
        /demo              <-- Demonstration folder https://iconoun.com/demo/

Open in new window


Author Comment

by:Black Sulfur
ID: 41786772
Intersting. So you are saying that:


Open in new window

will work even though common.php is outside of the public_html folder?
LVL 111

Expert Comment

by:Ray Paseur
ID: 41786799

When you see /path/to/file that is an absolute path. Starting from the server's root, it's followed down to the file. With just /file that means that you're looking directly in the server's root.

Whenever you do not have a leading slash, the path is taken as relative.  This means that, starting from your current point in the file system, you follow the path, so ../file would mean to look in the parent directory for the file.

Your server's hosting structure may be in play here.  If you have access to an account directory that is above public_html, this is a workable strategy.

Generally speaking:
/ means the root, like public_html
./ means the current working directory
../ means the parent of the current directory

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question