I have some includes files and I don't want to expose them via HTTP. They are only used for being included into other PHP files.
Should I configure .htaccess file and add some lines to specify that?
Thanks in advance...
You could use .htaccess rules or put them outside of your web directory!
Try this:
<Files filename.php>
order allow,deny
deny from all
</Files>
You should never put files, that you don't want to get accessed from outside, into a directory, that is accessible from outside, or in short: Move the files outside the document root.
Lets say
/path/to/htdocs/index.php
/path/to/privateFiles/include.php
In index.php you can use
require dirname(__FILE__) . '/../privateFiles/include.php';
When you want to make it a little bit more portable, you can separate both directories from each other. Usually files from privateFiles/ don't need to know about the files in htdocs. In index.php you can do something like
define('INCLUDES_PATH', '/path/to/privateFiles');
and then anywhere within your application
require INCLUDES_PATH . '/include.php';
When you want to move the private files around, you just need to change the constant in index.php.
If your included file is PHP, define a constant in your index/main code, check it in the include files
Index.php
<?php
define('INDEX_LOADED',TRUE);
include('include.php');
?>
Include.php
<?php
if(!defined('INDEX_LOADED'))
die('not to be accessed directly');
// rest of code here
?>
Related
here is my project structure:
Web root/document root:
/var/www/ all the website files in the the 'www' folder
I want to use require or include a file inside my folder OUTSIDE the web root/document root:
/var/extra-files
how can i get a file inside the extra-files folder using require or include?
require "OUTSIDE DOCUMENT ROOT/extra-files
thanks
First make sure apache as permission to read the files on /var/extra-files, then you can use:
require "/var/extra-files/file.php";
You may want to read Difference between require, include and require_once?
Hmm wow... no way was it that easy. I just used this:
/var/extra-files/myfile.php
and it worked.
On the Apache Server it is possible to define a directory for PHP includes. The path to the include folder is out of root, and does not conflict with the server script. The reason why I think it is nice to store the secure files like config.php and db-access.php in the PHP global include folder, is that I don't have to define the path for each and every single page in my web application. I can simply do as following:
<?
require_once('config.php');
require_once('db-access.php');
?>
But then I have a question cause, besides that the include folder is outside of root, is it still save enough?
It will be save enough, it you wouldn't place it under your htdocs folder ( folder, which is accessible via you web server ). So, you can put it in any other places.
use .htacces
order deny,allow
deny from all
Way to include file from root directroy
<?php
$path = $_SERVER['DOCUMENT_ROOT'];
$path .= '/folder/config.php';
require_once($path);
?>
OR Use if they are in your public_html or www folder
Order allow,deny
deny from all
I am using apache server.
Is there a way to prevent users from accessing my include files directly ?
But only allow the server the access to those ?
Another way is to have the include files outside of the directory the site is served from. For example:
/
includes/somefile.php
http/index.php
So the Web site is served from http/, but includes are outside of that directory, meaning no one can access them directly from a Web browser, but your scripts can include them like this:
<?php
require_once '../includes/somefile.php';
[...]
Put them in a directory outside of the web root.
i.e. if index.php is in /var/www/domain.com/www, put the includes in /var/www/domain.com/includes or something.
Do not put the include files under the document root (i.e. outside the file tree that apache delivers to the user).
I have a php applicaiton and i'm planning to keep critical settings in a .ini file. However, i think that file can be accessed from over the web, so where is a "standard place" for it to be placed?
You can store it above the document/web root or specifically block access to it. For example, a common structure for PHP applications is:
application/
public/
Where public is the web root - so I usually store application configuration in application/config where I know it can't be accessed.
An alternative would be to block it using Apache:
<!-- Block access to all .ini files -->
<Files ~ "\.ini">
Order deny,allow
Deny from all
</Files>
The "standard place" is anywhere not affected by the directory root of the apache. For example you can place it under /home/someuser/, or somewhere else.
Place the .ini file outside the web root or protect it with .htaccess if you really want to keep it under the web root.
It can be accessed if you place your INI file in your webroot/docroot.
Making sure the file is not accessible via the docroot is the first step.
I would use a database to be honest.
However, if you really want to use a flat file (e.g. .ini), you can place it in a directory, and use .htaccess to stop people from accessing it via their browser. That way, you can still access the file via php file functions.
To do this, make a file called .htaccess in the folder you want to protect (e.g. ini/)
Then, in this file put:
deny from all
The folder is now not accessible by going to the url in the browser.
Place the configuration in a directory that isn't readable by the webserver, yet is readable for the application. Generally, you have a specific directory that's readable by the webserver, such as "web", "www", "public" or "public_html". Make sure you put it in the directory below that one.
That way, your application can read the file:
$cfg = parse_ini_file(
realpath( dirname( __FILE__ ) . '/../' ) . '/config.php'
);
Your webserver doesn't know how to reach it though, so it's secure.
a good example is Zend FW or any other php frameworks. directory structue is:
application/config/config.ini
library/Zend/
public/index.php
where public is accesible from web
I'm having problems with my include files. I don't seem to be able to figure out how to construct my URLs when I use require_once('somefile.php'). If I try to use an include file in more than one place where the directory structures are different, I get an error that the include file cannot be found.
In asp.net, to get my application root path, I can use ~/directory/file.aspx. The tild forward slash always knows that I am referencing from my website root and find the file no matter where the request comes from within my website. It always refers back to the root and looks for the file from there.
QUESTION: How can I get the root path of my site? How can I do this so I can reuse my include files from anywhere within my site? Do I have to use absolute paths in my URLs?
Thank you!
There is $_SERVER['DOCUMENT_ROOT'] that should have the root path to your web server.
Edit: If you look at most major php programs. When using the installer, you usually enter in the full path to the the application folder. The installer will just put that in a config file that is included in the entire application. One option is to use an auto prepend file to set the variable. another option is to just include_once() the config file on every page you need it. Last option I would suggest is to write you application using bootstrapping which is where you funnel all requests through one file (usually with url_rewrite). This allows you to easily set/include config variables in one spot and have them be available throughout all the scripts.
I usually store config.php file in ROOT directory, and in config.php I write:
define('ROOT_DIR', __DIR__);
And then just use ROOT_DIR constant in all other scripts.
Using $_SERVER['DOCUMENT_ROOT'] is not very good because:
It's not always matching ROOT_DIR
This variable is not available in CGI mode (e.x. if you run your scripts by CRON)
It's nice to be able to use the same code at the top of every script and know that your page will load properly, even if you are in a subdirectory. I use this, which relies on you knowing what your root directory is called (typically, 'htdocs' or 'public_html':
defined('SITEROOT') or define('SITEROOT', substr($_SERVER['DOCUMENT_ROOT'], 0, strrpos($_SERVER['DOCUMENT_ROOT'], 'public_html')) . 'public_html');
With SITEROOT defined consistently, you can then access a config file and/or page components without adapting paths on a script-by-script basis e.g. to a config file stored outside your root folder:
require_once SITEROOT . "/../config.php";
You should use the built in magic constants to find files. __FILE__ and __DIR__. If you are on PHP < 5.3 you should use dirname(__FILE__)
E.g.
require_once __DIR__.'/../../include_me.php';
$_SERVER['DOCUMENT_ROOT'] is not always guaranteed to return what you would expect.
Define it in a config file somewhere.
Assuming you're using an MVC style where everything gets routed through a single index.php then
realpath('.');
Will show you the path to the current working directory (i.e where index.php is)
So then you can define this as
define('PROJECT_ROOT', realpath('.'));
If it's not MVC and you need it to work for files in subfolders then you can just hard code it in a config file
define('PROJECT_ROOT', 'C:/wamp/www/mysite');
Then when including something you can do;
include PROJECT_ROOT . '/path/to/include.php';
You could alternativly set the base directory in your .htaccess file
SetEnv BASE_PATH C:/wamp/www/mysite/
Then in PHP you can reference it with $_SERVER['BASE_PATH']
Try this:
$_SERVER['DOCUMENT_ROOT']