including files stored outside of root folder

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
php4user2007
Forum Newbie
Posts: 12
Joined: Mon Apr 02, 2007 4:12 am

including files stored outside of root folder

Post by php4user2007 »

Hi,

I read in a book that it is advised to store the database access information outside the rootfolder for security purposes. I think it makes sense but I would like to know what path I then need to specify in the include statement.

thanks,

P
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Whatever path is necessary to reach the correct file. Generally, I consider the idea only marginally more secure.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

If your site root is /var/www/my_site/public_html/ you would store them in /var/www/my_site/. Keep in mind that if you are including a file that has DB details that are either constants or variables, if you do not unset them after using them than they can still be echoed anywhere later in the script. If you are not distributing this application, why not just put them in the code?
php4user2007
Forum Newbie
Posts: 12
Joined: Mon Apr 02, 2007 4:12 am

Post by php4user2007 »

this makes sense but I'm just not sure where you get the "/var/www/" from? If I access my domain via ftp it will display a path like http://www.mydomain.com/public_html/index.php so I'm not sure where you can find out what path should be infront of the domain name.

thanks
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

You can write a quick script in PHP to give you the full path:

Code: Select all

<?php
echo dirname(__FILE__);
Run, check the results, of course delete once done. You can run something similar from the PHP command line also if available.

The path is likely a UNIX path (unless you have a windows server). It will point usually on a shared host to /home/username/www.mydomain.com/public_html/

Everything before /public_html is not accessible from the internet - so you can put the DB details anywhere below the public_html level (for any domain) and include using the absolute path, e.g.:

Code: Select all

include '/home/username/www.mydomain.com/db_details.php';
php4user2007
Forum Newbie
Posts: 12
Joined: Mon Apr 02, 2007 4:12 am

resolved

Post by php4user2007 »

thank you very much - your suggestion was very helpful.
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

Your question gives me the feeling that your book is advising you to give include files the extension '.inc'...?
Post Reply