So I work on a website and to make things easier I made specific files for every task (like: for the top menu I made menu.php) and then require(); them in the main files. All is good but I tried accessing in the browser /include/menu.php and it shows up. I don't want people to access them whenever they want, I just want to require them and to be available only through the main file.
The easiest way to prevent other php files from being accessed, is to define a variable in the main script:
define('IN_APPLICATION', true);
In all of your other files, simply add:
if ( !defined('IN_APPLICATION') )
die('You cannot access this file directly.');
An alternative way is to use an .htaccess file. If your server is running apache, this is all you will need. Simply put this file in your /includes directory.
Related
Just finished doing a simple mail transfer at my site using PhpMailer
I got 3 question about it -
I have read that's needed to store your credentials on a different file, read that there's 2 options - ini/php, which one would be better and how exactly this file should look like.
Regarding the directory of the credentials file, read it should be located outside the web root (just one level above its fine?), in that case how do I call it from inside the web root?
On the same matter, should the Mail.php itself be located on the site directory? or should I take it out as well?
It's generally safest to put values like these in .php files because they will render to nothing, unlike a .ini file which will usually render as plain text.
Yes, one level above is fine - it means that the file does not have a public URL of its own. From a script running inside the web root, you'd just load it with require '../settings.php';
You don't say what Mail.php is, but generally any other PHP scripts can stay put. Things like class definitions are safe because they have no effect when run directly (or at least should have no effect, if you've written them safely!). That said, it's common to put your composer vendor folder outside the web root since you don't necessarily have control over what ends up in there.
This might be hard to explain but I am looking for the best method of having one or a group of config files so if I need to update something its a little easier to do.
I have wrote a PHP application that has a sub folder for the admin side off the root folder and includes folder that is sub folder off the root folder as well .(see below)
the include folder has database config files, loads common variables and so forth. the problem is the path for the admin files that call for the database connection are obviously different than the files in the root folder.
so I started this but now I wonder if there is a better method than the route I am going.
`if($adminfile=="yes")
{
require('../includes/database/connect.db.php');
}
else{
require('includes/database/connect.db.php');
}`
I would really appreciate some advice, should I scrap this idea and have 2 location for the config file? Part of me hates to include in all the standard code $adminfile="no" I keep thinking is there a better way.
How do others solve this problem?
Check the value of your include_path in php.ini or your local config (via .htaccess for apache is another way to do it. If you add the path to demo to the include_path setting, then:
include('includes/database/connect.db.php');
or
require_once('includes/database/connect.db.php');
Will work from any file or sub folder.
Another way to do this is to include a single bootstrap file that has all the settings (i.e. not just your database ones) in your scripts.
A better way to do this is to route all your requests through a Front Controller that does anythign setup/teardown you need on every request. See PHP Front Controllers
you can define a constant in every file ... which defines the root folder you have
define('root', 'demo/');
and do
require(root.'includes/database/connect.db.php');
and this will work fine with any file you want to require
How can I access files via a url that are placed in /home/uzair/etc/index.php? Even when I run domain (something.com) it shows me data of (/home/uzair/public_html/index.php) this file.
Anyone please help me that how can I access that placed in (/home/uzair/etc/index.php) on my domain (something.com)
home
uzair
etc
index.php
public_html
admin
index.php
It sounds like you are in something.com which is visible to you on the web so it is located inside of public_html but you want to include a file that is higher up in the file system.
If that is what you are looking to do, use:
include("../etc/index.php");
The .. tells the server that you want to access the files in the next level up.
If you did:
include("../../uzair/etc/index.php");
That would have taken you all the way up to home and from there you would have access to many more files if you wanted to.
Files outside of public_html are protected from being seen on the web. Many people use that feature as a security to their content. If you have a file on there that you want to show contents of though, you have to use the include('file.php'); or include_once('file.php'); or even require_once('file.php') in a public ally visible file. Aka a file you have in public_html has to be the one to call the higher up file. If I am understanding your question right, that is how it is supposed to be done. Let me know if that is answering your question or not:-)
How you can run files not in public_html?
Files outside of public_html are protected from being seen on the web. Many people use that feature as a security to their content. If you have a file on there that you want to show contents of though, you have to use the include('file.php'); or include_once('file.php'); or even require_once('file.php') in a public ally visible file. Aka a file you have in public_html has to be the one to call the higher up file. If I am understanding your question right, that is how it is supposed to be done.
Currently, for things like a header, footer or common sidebar object, I create a custom .php file and do something along these lines:
echo '
<some><html><here>
';
and then include it on the pages that I want it to appear:
include('path/to/file');
The only problem with this is that someone can point their browser to my .php file and view part of html on its own. It isn't a huge deal, but it seems unprofessional and a little careless. Is there a better way of doing this?
The simplest way is to move all those files outside the DocumentRoot / public directory and include them from there. Something like:
include '../pages/header.php';
// rest of the script
include '../pages/bottom.php';
Anyway that's the purpose of that directory - to only hold things that are meant to be accessed directly.
Of course, the first step after this would be to look into having only one index.php file which filters all the requests (permissions, filtering, rewrites, etc) and includes whatever is necessary based on the request (this is called a Front Controller and there are also a few lightweight frameworks which already implement it). Here's a starting point: https://github.com/adrian-gheorghe/basic-website/blob/master/public/index.php
Put the included php files in a separate directory, and make this directory inaccessible from the outside (using .htaccess with Apache, for example).
You must restrain the access to other files in the server configuration.
WordPress pretty much does what you are currently doing: it stores all of the theme files in /wp-content/themes/THEMENAMEHERE/, and you can access the files to there directly. It's not that big of a concern, as users can't exactly do anything harmful, but if you care, you can store your files in a separate directory (as other answers have mentioned), or configure httpd.conf or .htaccess to block access to the particular scripts.
To keep URLs working in version-controlled projects, I've been using $_SERVER['DOCUMENT_ROOT']. The problem is, I develop projects within a folder, so I get this:
$_SERVER['DOCUMENT_ROOT'] . '/folder/path/to/file.php'
When I go live, I generally simply want the following:
$_SERVER['DOCUMENT_ROOT'] . '/path/to/file.php'
I know there are bigger problems in the world than having to remove and add this folder name, but is there a way I can easily automate this? Can I somehow set my document root locally to include the folder I'm working in? Do I have a fundamental misunderstanding of the way things are working? Kind of new at this stuff, and looking to learn as much as possible and really grok the "why."
Thanks so much!
Instead of using $_SERVER['DOCUMENT_ROOT'], why not declare a constant which always holds the root of your web application?
<?php
define('ABSPATH', dirname(__FILE__));
Put the following code in a file located in the root folder of your application and include it on every page load.
Then, you can simply always do $path = ABSPATH . '/path/to/file.php'; regardless of if your local copy is in a sub-directory folder or not.
If your application already has a file which is included on every page load, you can simply drop the code above in that file and it will work.
Just note that you may have to add additional dirname() calls depending on where that file is located. Add one for each directory you pass from the root of your webapp.
For example, if your webapp is located in /webapp/ and your "global include" is located in /webapp/includes/framework/init.php, then the above code needs to be modified as such:
define('ABSPATH', dirname(dirname(dirname(__FILE__))));
ie.: 2 additional dirname() calls due to two additional folders from the webapp root (includes/framework)
Clarification
The code above is meant to be in one file, and one file only in your web application. That file needs to be included on each page load.
If you already have a file which is included before any processing (such as a configuration file or other), you may copy and paste that code in that file.
The number of dirname() calls depends on how deep the file you copied and pasted the
code in is relative to the root directory of your web application. For the examples above, assume the root of your web application is represented by ~.
If you copy-paste my code into ~/abspath.php, then you need one dirname() call.
If you copy-paste my code into ~/includes/abspath.php, then you need two dirname() calls.
If you copy-paste my code into ~/includes/config/abspath.php, then you need three dirname() calls. Now let's just say that's its final location.
In ~/index.php, you do the following:
<?php
require_once('includes/config/abspath.php');
and you have access to ABSPATH.
In ~/dir/someOtherPage.php you do the following:
<?php
require_once('../includes/config/abspath.php');
and you have access to ABSPATH.
This is why I'm saying that if you already have a file which is included on each page load, its simpler just to drop the above code in it. Just make sure you modify the amount of dirname() calls accordingly. Again, this code is meant to be in ONLY ONE FILE.
declare below line in any of root file (index.php)
$_SESSION["uploads_base_url"]=dirname(__FILE__);
and you can now use this in any of file where uploads needed.
echo $uploads_base_url=$_SESSION["uploads_base_url"];