Solved

How to move and access a folder outside of the root folder

Posted on 2016-09-06
4
54 Views
Last Modified: 2016-09-06
I have a connections folder that has a php file with the database connection details in it and then I include this file in any pages that require a database connection. I have heard that it is a good idea to move that folder out of the root but I don't know exactly where you would put it and how you would access it?

For example, I now have: ../connections/db.php

What would I change that to?

I am currently using a .htaccess file in the folder itself that has:

Options -Indexes

But, I think that moving the folder out of the root might be more secure?
0
Comment
Question by:Black Sulfur
  • 2
4 Comments
 
LVL 34

Assisted Solution

by:gr8gonzo
gr8gonzo earned 250 total points
ID: 41786640
Any file that sits anywhere within the document root is web-accessible. That means people can hit that file via a URL. So let's say you had a site called abc.com and your site's folder structure looks like:

/abc.com                     <-- Site root folder
        /public_ftp          <-- FTP folder, not web-accessible
        /mail                <-- Mail folder, not web-accessible
        /public_html         <-- Document root folder (http://www.abc.com)
                    /images  <-- Images folder (http://www.abc.com/images)
                    /css     <-- CSS folder (http://www.abc.com/css)

Open in new window


So if you had a file called "foobar.php" inside your public_html folder (your document root), then it could be accessed via the web at "http://www.abc.com/foobar.php".

That said, when you access a file via the web, the web server is usually configured to process files differently based on their file extension. So let's say you had two files:

/abc.com/public_html/details.txt:
<?php $database_password = "53cr3t!123"; ?>

Open in new window


/abc.com/public_html/myfile.php
<?php $database_password = "53cr3t!123"; ?>

Open in new window


If you visited each one of those, you'd get different results:
http://www.abc.com/details.txt would show you the raw contents of the file, like this:
<?php $database_password = "53cr3t!123"; ?>

Open in new window


However, http://www.abc.com/myfile.php would result in a blank web page because the web server would see the .php extension and run the code through the PHP engine and spit out the results. Since there's no output in the results, nobody would be able to see the PHP code with the password in it.

Now, part of security is ensuring you don't expose more than you need to. For example, if a malicious hacker wants to break into your site, one of the first things they'll do is figure out what URLs you have and what information that tells them about what files are there. So if there are any visible references or URLs for "myfile.php", then the hacker has a good idea that myfile.php exists in your document root. If he or she discovers a way to access the code but needs a filename, then the hacker now has the two pieces needed, and can therefore access that code. If you move content outside of the document root, it usually becomes less visible, and therefore safer, even if it is processed by an engine like PHP.

There's no guarantee that moving a file outside the document root will protect you completely - your job with security is to make it hard enough for a malicious hacker that they decide to move onto easier targets (when applicable). So moving files outside the document root is just an incremental step, but a good one. In the above example scenario, you might move a file with sensitive details to the site's root folder (different than the document root), which is /abc.com.
1
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 250 total points
ID: 41786708
My shared host provides this kind of directory structure.
/account                   <-- Site root folder
    /public_html           <-- Document root folder https://iconoun.com
        /demo              <-- Demonstration folder https://iconoun.com/demo/

Open in new window

And I add something like this to my index.php file in the public_html directory
require_once('../common.php');

Open in new window

The common.php file has all my credentials, local classes and functions, and other fun stuff.  With this in place, the structure now looks like this.
/account                   <-- Site root folder
    common.php             <-- DB credentials, etc
    /public_html           <-- Document root folder https://iconoun.com
        /demo              <-- Demonstration folder https://iconoun.com/demo/

Open in new window

You can do this for your database credentials, but as @gr8gonzo points out, the PHP parser will get control of any HTTP request to PHP files, and they will be parsed, so there is little likelihood that they can expose any information, since all they do is set variable values.

Where this becomes a more valuable idea... When you want to put other information assets online that you generally want to protect, but for authorized individuals you want to expose the information.  Imagine a photo gallery that sells images.  You can use client authentication to protect the page that accesses the gallery of images.  Part of the authentication process can associate your users with the images they have purchased.  The users will visit a script that will find their images in a directory that is above the web root.  Now the structure looks like this.
/account                   <-- Site root folder
    common.php             <-- DB credentials, etc
    /gallery               <-- Image resources
    /public_html           <-- Document root folder https://iconoun.com
        /demo              <-- Demonstration folder https://iconoun.com/demo/

Open in new window

0
 

Author Comment

by:Black Sulfur
ID: 41786772
Intersting. So you are saying that:

require_once('../common.php');

Open in new window


will work even though common.php is outside of the public_html folder?
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 41786799
Yes.

When you see /path/to/file that is an absolute path. Starting from the server's root, it's followed down to the file. With just /file that means that you're looking directly in the server's root.

Whenever you do not have a leading slash, the path is taken as relative.  This means that, starting from your current point in the file system, you follow the path, so ../file would mean to look in the parent directory for the file.

Your server's hosting structure may be in play here.  If you have access to an account directory that is above public_html, this is a workable strategy.

Generally speaking:
/ means the root, like public_html
./ means the current working directory
../ means the parent of the current directory
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

One of the typical problems I have experienced is when you have to move a web server from one hosting site to another. You normally prepare all on the new host, transfer the site, change DNS and cross your fingers hoping all will be ok on new server…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now