My website is in /var/www/html.
I have a few files (PHP and Javascript) that are one level up, in /var/www.
I'm able to access the PHP file for my MySQL login credentials, but I can't access the Javascript file. In the <head> of my Login document, this is how I have it:
<script src="../sha256.js"></script>
This worked fine until I moved the sha256.js file. But now, when I try to login, the document can't find the file.
Can I access a Javacsript file that is out of the document root?
No.
If it isn't under the Document Root then it doesn't have a URL1.
If it doesn't have a URL then the browser can't request it.
Given the URL http://example.com/ and the relative URL from it ../foo the browser will delete a 'directory' off the end of the URL for each ../. If there aren't any, then it will ignore them. Thus it resolves to http://example.com/foo.
I'm able to access the PHP file for my MySQL login credentials
This is, presumably, server side code which deals with the server's file system and not with URLs.
1This is a simplification. There are other ways (alias, mod_rewrite, etc) to give a file a URL, but for your purposes, moving the file under the Document Root is the simplest solution.
RewriteRule or a PHP front controller that can look at the REQUEST_URI to decide whether to load a resource from outside the document root or not.
password_hash will handle doing things the right way (using a slow/iterating algorithm like bcrypt, instead of a fast hash like sha256, which is not meant for passwords, and automatically adding a random salt).