Accessing outside of public_html or httpdocs

Question

In a way to secure my files from outside access, I am considering placing all the included files outside the public_html folder or the httpdocs folder.

However, this comment is saying that nothing should be kept outside of the public folder that handles user input data.

What is the best and most ideal practice for this? My thinking would be to have a .htaccess point route EVERYTHING to an index.php, and the index.php includes all the neccessary files such as database connections and whatever else, and also includes the .php file which would have the HTML and PHP inside it for the main body content of the page.

Can anyone tell me if there is anything wrong with that, and why?

Answer 1

The comment you are referring to says that nothing that handles input or output directly should be outside the document root.

On the other hand, it's perfectly fine to place library code outside the root. If you use index.php as a single entry point to your application, pretty much the only things that should be web-accessible in addition to that script would be your assets (css, js, images, etc).

Answer 2

However, this comment is saying that nothing should be kept outside of the public folder that handles user input data.

The comment uses the word direct. Includes are handling the data indirectly.

My thinking would be to have a .htaccess

Configuration is better handled in the main configuration file if possible. .htaccess marginally is less efficient (and scatters configuration across your webroot).

point route EVERYTHING to an index.php, and the index.php includes all the neccessary files such as database connections and whatever else, and also

The front controller pattern is a perfectly reasonable approach.

includes the .php file which would have the HTML and PHP inside it for the main body content of the page.

Simply including that can start to create a bit of a mess. I suggest investigating the MVC pattern.