Bringing up an old topic.. Class files & htdocs
Posted: Fri Nov 07, 2008 3:04 pm
I hate to bring this up, but times have changed since the last time I read up on this. Once upon a time there was a debate about whether or not to keep a directory that contains all of your classes either inside htdocs, or behind (outside) of htdocs. I'm starting this thread to see what people think today and what their opinion on the matter is.
One side of the fence says that putting classes in an htdocs directory is a security issue. The reasoning is because classes are built to return information, not present. They return values, arrays, etc, they aren't intended to echo out HTML (and if they do, they need to be rewritten). The scripts that call the classes are the ones that echo out the html.
The other issue is people consider that classes that live in htdocs are considered a security threat. Classes are designed to handle sensitive information, and allowing someone to stumble upon your classes directory is quite scary as they now zero in on the one directory to attack that you really don't want them to even know about.
On the other side of the fence, it doesn't matter. The htdocs directory is as unsecure (or is it insecure? never get that right) as you make it. If you can block off access browsing to the directory, then you've pretty much gotten rid of the "stumble" issue.
To argue the second point above though, the way some see it is "write clean code and you don't have to worry about it". This argument to me is kind of silly as everyone makes mistakes, no matter how much you code. But the simple fact is, if you have written a mistake that's echoing out data, you're gonna have that as an issue anyways when the page loads.
To be honest, as you can tell, I'm more of on the fence leaning towards not putting it in htdocs. To me it makes sense to keep classes out of the htdocs directory, simply because they don't belong. They don't have a purpose that suits presenting any html, they'll never be navigated to as a display file (and if they are, that should be fixed immediately), and they could potentially be a risk (even though I'm not 100% sold on this yet).
One side of the fence says that putting classes in an htdocs directory is a security issue. The reasoning is because classes are built to return information, not present. They return values, arrays, etc, they aren't intended to echo out HTML (and if they do, they need to be rewritten). The scripts that call the classes are the ones that echo out the html.
The other issue is people consider that classes that live in htdocs are considered a security threat. Classes are designed to handle sensitive information, and allowing someone to stumble upon your classes directory is quite scary as they now zero in on the one directory to attack that you really don't want them to even know about.
On the other side of the fence, it doesn't matter. The htdocs directory is as unsecure (or is it insecure? never get that right) as you make it. If you can block off access browsing to the directory, then you've pretty much gotten rid of the "stumble" issue.
To argue the second point above though, the way some see it is "write clean code and you don't have to worry about it". This argument to me is kind of silly as everyone makes mistakes, no matter how much you code. But the simple fact is, if you have written a mistake that's echoing out data, you're gonna have that as an issue anyways when the page loads.
To be honest, as you can tell, I'm more of on the fence leaning towards not putting it in htdocs. To me it makes sense to keep classes out of the htdocs directory, simply because they don't belong. They don't have a purpose that suits presenting any html, they'll never be navigated to as a display file (and if they are, that should be fixed immediately), and they could potentially be a risk (even though I'm not 100% sold on this yet).