Page 1 of 1

Bringing up an old topic.. Class files & htdocs

Posted: Fri Nov 07, 2008 3:04 pm
by infolock
I hate to bring this up, but times have changed since the last time I read up on this. Once upon a time there was a debate about whether or not to keep a directory that contains all of your classes either inside htdocs, or behind (outside) of htdocs. I'm starting this thread to see what people think today and what their opinion on the matter is.

One side of the fence says that putting classes in an htdocs directory is a security issue. The reasoning is because classes are built to return information, not present. They return values, arrays, etc, they aren't intended to echo out HTML (and if they do, they need to be rewritten). The scripts that call the classes are the ones that echo out the html.

The other issue is people consider that classes that live in htdocs are considered a security threat. Classes are designed to handle sensitive information, and allowing someone to stumble upon your classes directory is quite scary as they now zero in on the one directory to attack that you really don't want them to even know about.


On the other side of the fence, it doesn't matter. The htdocs directory is as unsecure (or is it insecure? never get that right) as you make it. If you can block off access browsing to the directory, then you've pretty much gotten rid of the "stumble" issue.

To argue the second point above though, the way some see it is "write clean code and you don't have to worry about it". This argument to me is kind of silly as everyone makes mistakes, no matter how much you code. But the simple fact is, if you have written a mistake that's echoing out data, you're gonna have that as an issue anyways when the page loads.

To be honest, as you can tell, I'm more of on the fence leaning towards not putting it in htdocs. To me it makes sense to keep classes out of the htdocs directory, simply because they don't belong. They don't have a purpose that suits presenting any html, they'll never be navigated to as a display file (and if they are, that should be fixed immediately), and they could potentially be a risk (even though I'm not 100% sold on this yet).

Re: Bringing up an old topic.. Class files & htdocs

Posted: Fri Nov 07, 2008 3:45 pm
by veridicus
My project directory structure is very organized. My project/public/htdocs directory only contains index.php and css, images, js, etc. Basically nothing directly executable from the browser except index.php. My classes are organized elsewhere in my tree by function. So I have a project/model directory for business objects and a project/public/template directory just for templates.

I don't know if it really makes that big a difference for security, but it helps keep my code organized.

Re: Bringing up an old topic.. Class files & htdocs

Posted: Sun Nov 09, 2008 6:41 pm
by alex.barylski
I don't keep any PHP files (exception being index.php) in the htdocs folder for the following reasons:

1. If they are publically accessible they are potentially publically viewable -- I keep my code private both for business purposes and security through obscurity.

2. Any executable script on the public side of things could potentially be hacked. While you can apply read only permissions to PHP scripts in the htdocs directory if they are out of sight they are out of mind.

htdocs is really only for publically accessible files, so it doesn't really make sense to keep an application core in the same directories...