Reputation:
Safe to store PHP files above public directory and load them using require_once?
I import website files at the top of each page using:
require_once('../file.php');
Is this the correct approach? Or should I be using a different PHP function/approach to access private files? I'm concerned that this approach may be prone to directory traversal attacks.
Upvotes: 3
Views: 2116
Answers (2)
Reputation: 34113
Is this the correct approach?
Yes.
Or should I be using a different PHP function/approach to access private files?
No, keeping them outside of your document root should be sufficient. If, for example, you have a Local File Inclusion vulnerability somewhere in your application, you should focus on fixing the vulnerabilities rather than trying to hide your sensitive files.
Security through obscurity is no security at all.
Upvotes: 3
Reputation: 540
Yep, it a good practice. But, if it impossible - put some files above web site www directory, then you can create .htaccess file (for apache) in private folder with content:
deny from all
It blocks access to any file in directory.
Upvotes: 2
Related Questions
- Is it secure for PHP to access files above the document root?
- Access to files outside of the public folder
- PHP require_once path
- Is it safe to place password on same folder?
- Can a PHP script be included outside my file system?
- What's the safest method to access a php file thats outside the root directory?
- using require_once() with files outside of the site root
- Can I place PHP config files securely in a publicly accessible folder?
- Better security of PHP by keeping include files outside the public folder?
- Folder security?