I have read in PHP books that %26quot;include%26quot; files should not be kept in your web space for security reasons. But where else can you put them? I%26#039;m using a shared server to host my future site. Do I put them on my own machine? Will this work? I don%26#039;t know what %26quot;keeping includes files in a directory not accessible to the web server%26quot; means. Can someone spell it out for me in plain (non-technical) English? Thanks in advance!!
Where is the best place to store php %26quot;include files%26quot; in a directory not accessible by a web server?
Hi Hookem,
You are on the right track, but you have to remember that %26quot;include%26quot; files should be on the same server and location where your PHP script is located.
Let me try to explain it in non-technical words :) Let me see if I can do it:p
Include Files, can enable you , to include PHP files to an existing PHP file, where that file should be on the same computer. You CANNOT include a file from another server. Why? Because PHP is a scripting language, that once it is access within a web browser, it will execute it and return raw html not the code (which is needed when you include).
Basically, some PHP books suggest you place include files %26quot;outside the main WWW root folder of your website%26quot;. I believe they stated that incase your scripts are not protected correctly, and in case of vulnerabilty (hacking in future).
I believe if those included files are not PHP Classes, I highly recommend to place those files outside your WWW root, but if ther are classes, the only way to run them is by instantiating it (by code), where hackers cannot know what they are.
So many shared hostings or web hostings, usually have a subfolder which is called WWW, HOME, MYDOMAIN.COM, anything that resembles your HOME folder for you website.
A structure could look like this on a server where you buy online:
==============
/
/www.mydomain.com/
/www.mydomain.com/index.php
/tempfiles
/tempfiles/mydoc.doc
==============
Where www.mydomain.com folder is the main entrance to your website,what ever you place inside that folder is placed in public so users could attempt to view.
Tempfiles is just a folder that I created which is NOT accessible from the outside. People who view your domain cannot view that. Since your WEB HOME points to www.mydomain.com.
IT is perfectly legal to create a folder called %26quot;includes%26quot; outside your WEBHOME, so /includes, so if you have any private php files that have your password and other important info, you can place it there, and in your PHP scripts you could do...
=============
include %26quot;../includes/pass.php%26quot;;
NOTICE something: Any .PHP file which is placed in your WEBHOME directory is public to the viewers, BUT they wont see the CODE of that file, they will see the PROCESSED version of that file. Cause once someone requests to view your website, PHP processes the .php files into raw html wherever you specified.
So if your include files are authentication/passwords/other important stuff, place them outside your WEBHOME directory incase someone actually hacks your domain, just for a precaution :)
Another thing I want to say is that, if you are running your server off your pc, and your using APACHE Web server, you are currently placing your PHP files in %26quot;htdocs%26quot;, make a folder somewhere else (NOT in htdocs) and in your PHP file where you want to include that file you do :
include %26quot;My/Full/Path/To/Includes/Directory/pass...
If you need any help let me know and I will gladly help explaining it more.
Good Luck
****************************
****************************
UPDATE
****************************
****************************
There must be something wrong with your code, or your path doesn%26#039;t really exist. Look at this example... I tested it on my server:
[grand]$ cat files/temp.php
%26lt;?=%26#039;%26lt;p%26gt;temp.php%26lt;/p%26gt;%26#039;;?%26gt;
[grand]$ cat imagine.campusinteractive.com/test.php
%26lt;?php
include(%26#039;../files/temp.php%26#039;);
echo %26#039;%26lt;p%26gt;test.php%26lt;/p%26gt;%26#039;;
?%26gt;
[grand]$
IT works perfectly, please check if you have mistyped anything.
Make sure that file is valid as well. So if that included file is including another file, make sure all paths are working.
Where is the best place to store php %26quot;include files%26quot; in a directory not accessible by a web server?
%26quot;keeping includes files in a directory not accessible to the web server%26quot; means those files should not be accessble by anonymous user! You can use .htaccess file to set the permissions to this directory, not to allow anonymous access ;)
You can read more about using .htaccess file by following this link (provided by Apache): http://httpd.apache.org/docs/1.3/howto/h...
Good luck!
No comments:
Post a Comment