On the Apache Server it is possible to define a directory for PHP includes. The path to the include folder is out of root, and does not conflict with the server script. The reason why I think it is nice to store the secure files like config.php and db-access.php in the PHP global include folder, is that I don't have to define the path for each and every single page in my web application. I can simply do as following:
<?
require_once('config.php');
require_once('db-access.php');
?>
But then I have a question cause, besides that the include folder is outside of root, is it still save enough?
It will be save enough, it you wouldn't place it under your htdocs folder ( folder, which is accessible via you web server ). So, you can put it in any other places.
use .htacces
order deny,allow
deny from all
Way to include file from root directroy
<?php
$path = $_SERVER['DOCUMENT_ROOT'];
$path .= '/folder/config.php';
require_once($path);
?>
OR Use if they are in your public_html or www folder
Order allow,deny
deny from all
Related
So I have a web application hosted on a site. The web root (I.E. the files the client can access) is the public_html folder. However, I need to include files outside of the public_html folder. I do this using php include. I get an error no such file or directory. When it shows me the path it is still looking in the public_html folder, which is not where I need it looking.
The code looks like this:
<?php include('../eCommerceCore/shoppingCart.php');?>
I need it to look up one level but it will not search outside of public_html. Also, the file containing the line of code shown above is in the public_html folder if that helps.
Sometimes the current directory isn't what you expect it to be, such as when you include a file from an included file.
I like to use $_SERVER['DOCUMENT_ROOT'] on my includes so that I can always reference them absolutely from the root of my site:
<?php
include($_SERVER['DOCUMENT_ROOT']."../eCommerceCore/shoppingCart.php");
?>
Or this way you can try
<?php
include "../eCommerceCore/shoppingCart.php";
?>
If your includes directory is above your document root, you can use .. to still reference from the root.
I am using apache server.
Is there a way to prevent users from accessing my include files directly ?
But only allow the server the access to those ?
Another way is to have the include files outside of the directory the site is served from. For example:
/
includes/somefile.php
http/index.php
So the Web site is served from http/, but includes are outside of that directory, meaning no one can access them directly from a Web browser, but your scripts can include them like this:
<?php
require_once '../includes/somefile.php';
[...]
Put them in a directory outside of the web root.
i.e. if index.php is in /var/www/domain.com/www, put the includes in /var/www/domain.com/includes or something.
Do not put the include files under the document root (i.e. outside the file tree that apache delivers to the user).
I have some includes files and I don't want to expose them via HTTP. They are only used for being included into other PHP files.
Should I configure .htaccess file and add some lines to specify that?
Thanks in advance...
You could use .htaccess rules or put them outside of your web directory!
Try this:
<Files filename.php>
order allow,deny
deny from all
</Files>
You should never put files, that you don't want to get accessed from outside, into a directory, that is accessible from outside, or in short: Move the files outside the document root.
Lets say
/path/to/htdocs/index.php
/path/to/privateFiles/include.php
In index.php you can use
require dirname(__FILE__) . '/../privateFiles/include.php';
When you want to make it a little bit more portable, you can separate both directories from each other. Usually files from privateFiles/ don't need to know about the files in htdocs. In index.php you can do something like
define('INCLUDES_PATH', '/path/to/privateFiles');
and then anywhere within your application
require INCLUDES_PATH . '/include.php';
When you want to move the private files around, you just need to change the constant in index.php.
If your included file is PHP, define a constant in your index/main code, check it in the include files
Index.php
<?php
define('INDEX_LOADED',TRUE);
include('include.php');
?>
Include.php
<?php
if(!defined('INDEX_LOADED'))
die('not to be accessed directly');
// rest of code here
?>
Is it possible to require files (using php require) from the directory where my website is placed?
For example, my website is in the directory mywebsite which is in the root directory. There is another directory there. Can I require files from this another directory?
Sure, you can require files from anywhere that has the appropriate permissions.
This requires the file from the current directory (NOT always where the current PHP script is, so be careful of that):
require("whatever.php");
This will require whatever.php from somefolder which is in the current directory.
require("somefolder/whatever.php");
Finally, you can give an absolute path like this:
require("/var/www/includes/whatever.php");
Require from parent directory:
require("../includes/watherver.php");
It doesn't matter really where you get it from, provided you have the permissions set correctly, and PHP is configured in such a way to allow you to do so.
I have been using
require_once $_SERVER['DOCUMENT_ROOT'] . '/myfile.php';
It should be no problem to require from an arbitrary existing and readable directory.
Image you have:
/
--folder1
--folder2
and in folder1 is your index.php and in folder2 is your to_require.php
Then you could write:
require('../folder2/to_require.php')
That's because you can go up in your directory tree with ..
I have a php applicaiton and i'm planning to keep critical settings in a .ini file. However, i think that file can be accessed from over the web, so where is a "standard place" for it to be placed?
You can store it above the document/web root or specifically block access to it. For example, a common structure for PHP applications is:
application/
public/
Where public is the web root - so I usually store application configuration in application/config where I know it can't be accessed.
An alternative would be to block it using Apache:
<!-- Block access to all .ini files -->
<Files ~ "\.ini">
Order deny,allow
Deny from all
</Files>
The "standard place" is anywhere not affected by the directory root of the apache. For example you can place it under /home/someuser/, or somewhere else.
Place the .ini file outside the web root or protect it with .htaccess if you really want to keep it under the web root.
It can be accessed if you place your INI file in your webroot/docroot.
Making sure the file is not accessible via the docroot is the first step.
I would use a database to be honest.
However, if you really want to use a flat file (e.g. .ini), you can place it in a directory, and use .htaccess to stop people from accessing it via their browser. That way, you can still access the file via php file functions.
To do this, make a file called .htaccess in the folder you want to protect (e.g. ini/)
Then, in this file put:
deny from all
The folder is now not accessible by going to the url in the browser.
Place the configuration in a directory that isn't readable by the webserver, yet is readable for the application. Generally, you have a specific directory that's readable by the webserver, such as "web", "www", "public" or "public_html". Make sure you put it in the directory below that one.
That way, your application can read the file:
$cfg = parse_ini_file(
realpath( dirname( __FILE__ ) . '/../' ) . '/config.php'
);
Your webserver doesn't know how to reach it though, so it's secure.
a good example is Zend FW or any other php frameworks. directory structue is:
application/config/config.ini
library/Zend/
public/index.php
where public is accesible from web