Web Hosting Forums

Results 1 to 8 of 8

This is a discussion on Newbie Question about include files in the Hosting Talk & Chit-chat forum
It says in the online manual to put all your include files outside the public_html and www files. I do not understand what this means. ...

  1. #1
    Loyal Client richardforeman's Avatar
    Join Date
    Sep 2002
    Location
    Abilene,TX (Fort Jackson, SC on 4-12-03)
    Posts
    34

    Newbie Question about include files

    It says in the online manual to put all your include files outside the public_html and www files. I do not understand what this means. When I set up a php script I put everything in the public_html and it all works. Is this a major security problem or not? How do I change it to put those files outside the public_html section. I hope this makes sense. Basically I have installed a forum board at http://www.wctsc.net/forum and I put it all in the public_html section. Is there certain files I need to move to protect my database?

    Thanks in advance...
    Richard Foreman
    Abilene,TX

  2. #2
    Chairman Still Shady's Avatar
    Join Date
    Sep 2001
    Location
    Redmond, WA-nnabe
    Posts
    1,184

    Re: Newbie Question about include files

    Originally posted by richardforeman
    Is there certain files I need to move to protect my database?
    No... your setup is just fine...
    Where do you wanna go today?

  3. #3
    Loyal Client richardforeman's Avatar
    Join Date
    Sep 2002
    Location
    Abilene,TX (Fort Jackson, SC on 4-12-03)
    Posts
    34
    thanks for clearing that up for me.
    Richard Foreman
    Abilene,TX

  4. #4
    Loyal Client
    Join Date
    Oct 2001
    Posts
    168

    A further question?

    Still Shady: I learn a lot from reading your responses.

    I have a further question. If RIchard puts the include file above the public_html file, is it not a little safer? It's my understanding that just anyone won't have access to that area without the necessary permissions.

    I have read similar recommendations in several different books. But maybe I'm not really understanding.

    Thanks for being such an active participant.

  5. #5
    Chairman Still Shady's Avatar
    Join Date
    Sep 2001
    Location
    Redmond, WA-nnabe
    Posts
    1,184
    Mike: It really depends what kind of file you are including. For example, you include a text file (eg: header.txt) but inside it are bunch php codes. That wouldn't be secure because I can view the source code thru an HTTP request because of its mime type, unlike including a file (ex. header.php) which the server process would occur first before the output is passed to the browser.

    However, it's safer to put the files above the public_html folder but that would be a longer parameter when you do a include() in php, instead of a relative path to the file you have to give an absolute path.

    Correct me if I'm wrong, that's what my thoughts about it!
    Where do you wanna go today?

  6. #6
    Loyal Client
    Join Date
    Oct 2001
    Posts
    168

    Sounds right to me!

    Still Shady: Yeah, that sounds pretty much on target with what I have read.

    Wow... You just saved my butt. I was going to go out to the car to check out on of the books I've got where I remember that it commented on this and I found that I left the dome light on...

    Quote from book:

    One way to protect usernames and passwords is to put them in files that are accessed via include or require statements. Such files need not - and should not- reside in directories accessible via the web server. By placing them in a directory that is not web accessible, you make it more difficult for a hacker to discover their contents.
    Of course, my knowledge of UNIX/Linux is pretty limited, so perhaps even the files above public_html are web accessible. I know that my knowledge of this stuff is pretty weak. Always glad to learn.

    Oh, and thanks for the post. I'd have found my battery dead in the morning if it hadn't of been for this thread!

  7. #7
    Loyal Client
    Join Date
    Dec 2001
    Posts
    174
    Originally posted by Still Shady
    unlike including a file (ex. header.php) which the server process would occur first before the output is passed to the browser
    Yep, but it is not uncommon for a server to spit out PHP code if it is experiencing a temporary glitch

    Sean

  8. #8
    Loyal Client
    Join Date
    Aug 2001
    Posts
    70
    even if somebody from the Web saw your MySQL name/password, it probably doesn't matter much. they couldn't connect to MySQL from the "outside" anyway. the biggest risk, that's real, is that anybody on the same server as you can read your file even if it is above the Web root. and those people CAN connect to MySQL. nothing you can do about that.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •