Using php to serve javascript and css files

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
jraede
Forum Contributor
Posts: 254
Joined: Tue Feb 16, 2010 5:39 pm

Using php to serve javascript and css files

Post by jraede »

I'm setting up a multitenant system for clients using my software, in which there is one instance stored on my server and each client has his own folder and database with his personal settings. The application is stored in a folder inaccessible through the web. Right now, all client-side included files, like CSS and JavaScript, are stored in each client's individual folder. What I would like to do is store application-side CSS and JavaScript files, like the core AJAX handler or the CSS file for the admin panel, in the application folder, and serve the files through a specific call in the URL query string.

So, something like http://www.mysite.com?view=include&file=admin.css would render the contents of the admin.css file in the non-web-accessible application folder.

I got this to work with javascript, but I can't get it to work with css...I think I'm missing some sort of content type declaration.

Here's the code for my view class:

Code: Select all

<?php
namespace application\views;

class Includer extends \application\auth\Normal {

    public function load() {
        $file = getQueryVar('file');
        if(file_exists(CN_APPLICATION_PATH.'includes/'.$file)) {
            echo file_get_contents(CN_APPLICATION_PATH.'includes/'.$file);
        }
    }
}
?>
I created a JavaScript file that just has alert('test');, included it with this method, and it worked:

Code: Select all

<script type="text/javascript" src="<?=SITE_URL?>?view=include&file=test.js"></script>
But, the browsers don't like it when I include a CSS file using a <link> tag in the header. It's grabbing the text from the file, but the browser doesn't seem to be recognizing it at CSS.

Any ideas?

Thanks.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Using php to serve javascript and css files

Post by Mordred »

For a start, show us the unsuccessful attempt at CSS, not just the working one for JS :)

Should look like this:
<link rel="stylesheet" type="text/css" href="..." />

Also, you must be aware that unless you do some checks in getQueryVar (and you shouldn't, it's not the right place for it) your script will gladly serve any file the PHP user has access to
jraede
Forum Contributor
Posts: 254
Joined: Tue Feb 16, 2010 5:39 pm

Re: Using php to serve javascript and css files

Post by jraede »

I ended up figuring it out, just forgot to post here. For anyone who is interested, you have to put "content-type:text/CSS" as well as "charset=UTF8" in your header. I was neglecting the charset and thus the browsers weren't recognizing the files as CSS.

And yeah, this is just meant to serve files that everyone would have access to anyway. Instead of keeping them on each client's public HTML folder, I'm avoiding duplicates and making it easier for me to make changes by just serving the files from a single non-web-accessible folder on the server. The only things in that folder are client-side loading files like JavaScript and CSS.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Using php to serve javascript and css files

Post by Mordred »

No. I mean *every* file. The one with your database password, your code, the .htpasswd, everything. Try it with &file=../index.php or whatever
jraede
Forum Contributor
Posts: 254
Joined: Tue Feb 16, 2010 5:39 pm

Re: Using php to serve javascript and css files

Post by jraede »

My view class automatically adds "includes/" to the front of the value of the file variable, so unless I'm really confused somewhere, they can only access files in the includes folder, which are files they'd be able to see anyway. Like, saying "file=index.php" would take them to /includes/index.php. If there are no sensitive files in that folder, then I shouldn't have to worry about that, right?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Using php to serve javascript and css files

Post by Mordred »

../../secret/stuff
jraede
Forum Contributor
Posts: 254
Joined: Tue Feb 16, 2010 5:39 pm

Re: Using php to serve javascript and css files

Post by jraede »

Right, I get that, but that whatever they put in there will always take them to the root directory, then the includes folder, then whatever they type. So even trying to access ../../db.php would just try to call the contents of /var/root/application/includes/../../db.php. Can using relative paths like that work even when there is an absolute path in front of it?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Using php to serve javascript and css files

Post by Mordred »

yes. try it.
jraede
Forum Contributor
Posts: 254
Joined: Tue Feb 16, 2010 5:39 pm

Re: Using php to serve javascript and css files

Post by jraede »

Well, you learn something new every day. Say I want to keep these files in a central location, what do you suggest? I could always just put them in a web-accessible location and not serve them through a gateway like this one, but I'm curious about other ideas. I'll be brainstorming here on my end as well. Thanks for pointing that out, I never really thought about that.

Edit: if I just filter out any references to relative location on the filesystem, are there any other potential security issues I could run into? Essentially I just have to prevent them from getting outside the includes folder.
Post Reply