Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to move and access a folder outside of the root folder

Posted on 2016-09-06
4
Medium Priority
?
207 Views
Last Modified: 2016-09-06
I have a connections folder that has a php file with the database connection details in it and then I include this file in any pages that require a database connection. I have heard that it is a good idea to move that folder out of the root but I don't know exactly where you would put it and how you would access it?

For example, I now have: ../connections/db.php

What would I change that to?

I am currently using a .htaccess file in the folder itself that has:

Options -Indexes

But, I think that moving the folder out of the root might be more secure?
0
Comment
Question by:Black Sulfur
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 35

Assisted Solution

by:gr8gonzo
gr8gonzo earned 1000 total points
ID: 41786640
Any file that sits anywhere within the document root is web-accessible. That means people can hit that file via a URL. So let's say you had a site called abc.com and your site's folder structure looks like:

/abc.com                     <-- Site root folder
        /public_ftp          <-- FTP folder, not web-accessible
        /mail                <-- Mail folder, not web-accessible
        /public_html         <-- Document root folder (http://www.abc.com)
                    /images  <-- Images folder (http://www.abc.com/images)
                    /css     <-- CSS folder (http://www.abc.com/css)

Open in new window


So if you had a file called "foobar.php" inside your public_html folder (your document root), then it could be accessed via the web at "http://www.abc.com/foobar.php".

That said, when you access a file via the web, the web server is usually configured to process files differently based on their file extension. So let's say you had two files:

/abc.com/public_html/details.txt:
<?php $database_password = "53cr3t!123"; ?>

Open in new window


/abc.com/public_html/myfile.php
<?php $database_password = "53cr3t!123"; ?>

Open in new window


If you visited each one of those, you'd get different results:
http://www.abc.com/details.txt would show you the raw contents of the file, like this:
<?php $database_password = "53cr3t!123"; ?>

Open in new window


However, http://www.abc.com/myfile.php would result in a blank web page because the web server would see the .php extension and run the code through the PHP engine and spit out the results. Since there's no output in the results, nobody would be able to see the PHP code with the password in it.

Now, part of security is ensuring you don't expose more than you need to. For example, if a malicious hacker wants to break into your site, one of the first things they'll do is figure out what URLs you have and what information that tells them about what files are there. So if there are any visible references or URLs for "myfile.php", then the hacker has a good idea that myfile.php exists in your document root. If he or she discovers a way to access the code but needs a filename, then the hacker now has the two pieces needed, and can therefore access that code. If you move content outside of the document root, it usually becomes less visible, and therefore safer, even if it is processed by an engine like PHP.

There's no guarantee that moving a file outside the document root will protect you completely - your job with security is to make it hard enough for a malicious hacker that they decide to move onto easier targets (when applicable). So moving files outside the document root is just an incremental step, but a good one. In the above example scenario, you might move a file with sensitive details to the site's root folder (different than the document root), which is /abc.com.
1
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 1000 total points
ID: 41786708
My shared host provides this kind of directory structure.
/account                   <-- Site root folder
    /public_html           <-- Document root folder https://iconoun.com
        /demo              <-- Demonstration folder https://iconoun.com/demo/

Open in new window

And I add something like this to my index.php file in the public_html directory
require_once('../common.php');

Open in new window

The common.php file has all my credentials, local classes and functions, and other fun stuff.  With this in place, the structure now looks like this.
/account                   <-- Site root folder
    common.php             <-- DB credentials, etc
    /public_html           <-- Document root folder https://iconoun.com
        /demo              <-- Demonstration folder https://iconoun.com/demo/

Open in new window

You can do this for your database credentials, but as @gr8gonzo points out, the PHP parser will get control of any HTTP request to PHP files, and they will be parsed, so there is little likelihood that they can expose any information, since all they do is set variable values.

Where this becomes a more valuable idea... When you want to put other information assets online that you generally want to protect, but for authorized individuals you want to expose the information.  Imagine a photo gallery that sells images.  You can use client authentication to protect the page that accesses the gallery of images.  Part of the authentication process can associate your users with the images they have purchased.  The users will visit a script that will find their images in a directory that is above the web root.  Now the structure looks like this.
/account                   <-- Site root folder
    common.php             <-- DB credentials, etc
    /gallery               <-- Image resources
    /public_html           <-- Document root folder https://iconoun.com
        /demo              <-- Demonstration folder https://iconoun.com/demo/

Open in new window

0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41786772
Intersting. So you are saying that:

require_once('../common.php');

Open in new window


will work even though common.php is outside of the public_html folder?
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 41786799
Yes.

When you see /path/to/file that is an absolute path. Starting from the server's root, it's followed down to the file. With just /file that means that you're looking directly in the server's root.

Whenever you do not have a leading slash, the path is taken as relative.  This means that, starting from your current point in the file system, you follow the path, so ../file would mean to look in the parent directory for the file.

Your server's hosting structure may be in play here.  If you have access to an account directory that is above public_html, this is a workable strategy.

Generally speaking:
/ means the root, like public_html
./ means the current working directory
../ means the parent of the current directory
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question