So, I've looked around quite a few questions around Stack Overflow and many of them mention the "webroot" - when looking for a specific definition of it, though, I've been unable to find one.
Does the webroot refer to the very base file (as in "App:) in my structural example below. Or does it refer to where the file you are talking about relatively? I.e. if I was talking about balance.php would it refer to view?
app
--Protected
______view
__________balance.php
----------level.php
Generally, the webroot, aka document root, is where "publicly accessible" files start in a website.
E.g. your site has a file, and url pointing at that file:
/home/sites/example.com/html/private/downloads/cutekittens.jpg
http://example.com/private/downloads/cutekittens.jpg
^---where the document root starts
Note where the two start corresponding. Everything "above" that point (/home/site/example.com/html) is OUTSIDE of the site's document root. Anything inside that .../html directory is inside the document root, and therefore accessible by browser from outside the server.
Note that this doesn't take into consideration any server-side aliases, rewriting, routing, etc...
It will be the base directory where web-accessible files go, usually called public_html, httpdocs, htdocs or wwwroot.
Related
I need some help.
I was reading the security recommendations of my hosting service and they say that ideally just put the
index file and files like css, js and img inside my root folder, and that all other files should be placed
off, that is, a level above.
I tried doing this in my tests, and I had some problems. The structure of the hosting folders is:
/
/htdocs
Inside /htdocs I put the index.php file and when accessing it through the url exemple.com/index.php works normally.
But putting other test files out of htdocs is what starts the problem. For example, if I have a file called contact.php
and I try to access it through the url exemple.com/contact.php I get the 404 error message.
So the question I have to ask is:
Is it possible to access url files that are outside of htdocs, or better to put all the files that will be accessed by the url inside
of htdocs and leave only configuration files outside this folder, like class, functions, database connection, etc?
And if it is possible to access the files by url, how would I rewrite these urls in htaccess?
and that all other files should be placed off
Yes, this is good practice. However, you're misunderstanding the implementation.
You can not directly access files outside the document root. But you can indirectly access them. I.e., the web server can't see them, but your programming code can.
Ideally, your site would use the front controller pattern. Here, your index.php file would serve every page of your app by intercepting every request and then routing it to the correct end point. I.e., you would never directly request /contact.php, you'd instead request /contact, which would get funneled to /index.php, which would load the required resources from outside the doc root.
I have a lot of image and pdf files in a folder within the public_html directory, and I have a lot of scripts on public_html dynamically processing, creating and editing these files based on user requests.
Now the problem is that I've realized that having these files stored in folders in public_html isn't safe, maybe someone could just inject some script and delete them all! So what I want to do is move them outside public_html. However - since I have so very many scripts dealing with all these files, all the paths will be messed up. I am using scripts that use relative paths, (/home/public_html/designs/product1/...) as well as scripts that use absolute paths (www.mydomain.com/designs/product1/...).
I don't know much about symbolic links to be honest - I've read up some but I found it confusing since I'm not that good with Linux either.
My question is: is there any way that I can put some kind of symbolic link or connection, so that I can move all my product design files outside public_html, and yet don't have to change all my scripts to point to the new path? So maybe, some kind of code that resolves all public_html/designs/ requests from my scripts to the new path? Maybe symbolic links isn't what I need here, but something else?
create sysmbolic links is easy in linux
first go to public_html directory :
/home/public_html/
then move designs directory to upper directory [ or every where you want ]
mv designs ../
then create sysmbolic link to the real directory
ln -s ../designs designs
every thing will be work
In a way to secure my files from outside access, I am considering placing all the included files outside the public_html folder or the httpdocs folder.
However, this comment is saying that nothing should be kept outside of the public folder that handles user input data.
What is the best and most ideal practice for this? My thinking would be to have a .htaccess point route EVERYTHING to an index.php, and the index.php includes all the neccessary files such as database connections and whatever else, and also includes the .php file which would have the HTML and PHP inside it for the main body content of the page.
Can anyone tell me if there is anything wrong with that, and why?
However, this comment is saying that nothing should be kept outside of the public folder that handles user input data.
The comment uses the word direct. Includes are handling the data indirectly.
My thinking would be to have a .htaccess
Configuration is better handled in the main configuration file if possible. .htaccess marginally is less efficient (and scatters configuration across your webroot).
point route EVERYTHING to an index.php, and the index.php includes all the neccessary files such as database connections and whatever else, and also
The front controller pattern is a perfectly reasonable approach.
includes the .php file which would have the HTML and PHP inside it for the main body content of the page.
Simply including that can start to create a bit of a mess. I suggest investigating the MVC pattern.
The comment you are referring to says that nothing that handles input or output directly should be outside the document root.
On the other hand, it's perfectly fine to place library code outside the root. If you use index.php as a single entry point to your application, pretty much the only things that should be web-accessible in addition to that script would be your assets (css, js, images, etc).
I am developing a web application. contents are:
root dir (/var/www/)
config.php
index.php
details.php
admin dir (/var/www/admin)
admin.php
I have included config.php file into index.php, details.php in root directory using require_once('config.php') as this file contains database passwords, styles, images directory paths..
how can i include that config files in my admin/admin.php file so that one config file can be used in anywhere(even in subdirectories) of my web application. Will it make any difference for the value of define('APP_BASE_PATH', dirname(__FILE__)); when same config file is used by all files in the web application.
if i am wrong somewhere then please get me right.
If your server properly configured, just
include $_SERVER['DOCUMENT_ROOT']."/config.php";
anywhere
You have also 2 other possible ways.
a Front controller setup, where ALL user requests going into one file. And ths one going to include all others from their subdirectories. Personally I don't like it cause this front file become a mess. Though it's widely used.
I decided not to mention it because noone would use a hardcoded full path anyway.
Update after clarification in comments: You are looking for a way to include a central configuration file from anywhere in your project's folder structure.
#Col. Shrapnel shows one way, DOCUMENT_ROOT. It's the only way to use an "absolute" path from a nested folder structure. It has the limitation I describe above, but it's fine otherwise.
If you want maximum portability (i.e. the possibility to run the app with e.g. www.example.com/myapp/version_1 as its root directory), you would have to use relative references from within your folder structure to "climb down" to the config file, e.g. ../../config.php that will work reliably too, although be a bit cumbersome e.g. if you move a script to a different folder and you have to update the relative path.
you can use the same config file every time... using "/" will take you back to the root directory... so in admin/admin.php use this:
require_once("/config.php");
you can use "../" to take you up one directory eg:
require_once("../config.php");
was this what you were looking for?
I ask because it seems like the only thing ever called in a proper app index.php file is the require_once bootstrap file. I'm assuming this adds a layer of security but if not, this pattern seems pointless. Why not just use the index.php file as the bootstrap? Any opinions, cautions, thoughts etc. are appreciated!
(By the way, my htaccess file is routing all requests to the index.php file...)
There is no inherent security difference, no matter whether you have your bootstrapoing process in the index file or a separate one.
Having a separate file is usually due to organization concerns (e.g. to have a file that can be included from elsewhere to import your app's functions, or to put all the tasks in properly named files, or to make it especially easy to add custom extensions to the boot process).
However, configuration files containing sensitive information - sometimes, more rarely, even all PHP files at all except for the index file - will be placed outside the web root where possible. That will make a security difference in that PHP files can not be accessed from outside in case of an accidental server misconfiguration.
in a secure enviroment only the index.php lies in the document root, all other PHP files should be outside document root, so it makes sense when the index.php file is only including a Bootstrap file outside the document root.
I don't know of any vulnerability that this exposes. Dropping a blank index.html or index.php into a folder can prevent an attacker from obtaining a directory listing if apache is misconfigured.