6

I read it's good practice to store php files containing potentially security risk stuff outside the root directory.

Now I have php files containing stuff for proccessing a registration/login. Those are outside the root directory. Now I catch the form content via jquery and send it to this php file.

But this seems not to be possible with js/jquery:

$.ajax({
    type: "POST",
    url: "../php_includes/register.inc.php", //beyond root path
    data: data,
    })
    .done(function(data, status) {
            //...
    });

Do I have a design error or just doing something wrong?

Whats the "best practice" solution here?

Improve this question
3
  • 1
    Do not follow a practice until you understand it. Commented Nov 14, 2014 at 11:41
  • Possibly more important: Don't handle user login information until you understand basic security best practices. Commented Nov 14, 2014 at 13:41
  • 1
    @SalmanA You should try to understand every practice you follow if you want to be a good programmer, but I would rather a programmer on my team follow best practices whether they understand why they are good or not. I've had too many situations where I work with a programmer that refuses to follow long established best practices because he doesn't personally see the value and is too stubborn to learn. Commented Jul 26, 2018 at 20:12

3 Answers 3

Reset to default
8

A "best practise" would reduce the number of entry points to 1. Rather than having index.php, login.php and register.php you have just one file handler.php that handles all incoming requests (aided by rewrite rules).

handler.php bootstraps your application and contains routing information that determines how a request should be handeld. Modules in your application can register routes and that is how that code gets activated.

All your code can be stored outside of the webroot, only handler.php is exposed. And handler.php can be as simple as:

<?php
include(__DIR__ . "/../includes/bootstrap.php");

Rewrite rule to capture all requests:

RewriteEngine on
RewriteRule ^(.*)$ handler.php?path=$1 [QSA]
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Just to be complete, a "nice" example is the implementation of the Symfony framework which exactly does that (it's not the only framework that does it, just the first which came to mind).
This is a better, albeit much more difficult to set up, answer than mine.
Thanks for sharing this. I would accept your answer too, if it was possible to accept two different answers. JSK NS answer is for me practically the best.
4

You wont be able to access any files outside the root directory from the browser (ie. like you're trying to do using Javascript). The entire point of storing files outside the root directory is so that they are not accessible by the client.

It is necessary and safe enough to place registration code inside the document root.

Improve this answer

5 Comments

So storing a php file containing DB-connection (update/insert/etc.) stuff inside root is not a security risk?
That's not what I said - though it's not necessarily a risk to do so if you have your server environment configured properly. Is there a reason why you need to have your database connection information in your registration code? Have your registration code point inside your document root. Have the registration code point to database connection information that is outside the document root.
Of course my DB connection information is not in registration code directly. I include it from a file also outside root path. So asking more correct: Having a php file inside root with mysql queries is not a security risk?
@RafaelWörner well technically that IS a risk for configuration files. If your file only contains SQL queries that should not be a risk (except if sensitive information are hard coded in it).
@RafaelWörner that's correct. Having SQL queries in your root path is probably not a security risk.
2

You'd rather store security-related stuff like configuration files and alike in an external (non-accessible) directory. But if you need to access information stored in these files, you have to create a controller that will filter the access and provide the information in a secure way if needed.

Apache will not serve files that are not located in the website's root directory.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.