I have been told that for security reasons all PHP data handling files should be located outside of the website root directory. I have a website hosted in IIS 10 with the includes folder outside the root. Something like this:- website: C:inetpubwwwrootindex.php and PHP files C:includessubmit.inc.php This is obviously not working since http:localhostincludessubmit.inc.php doesn’t exists. The submit.inc.php is a file that AJAX uses to send form data back to the server.
So, should I be worried about PHP file separation in the first place, and if so, how can I reference files outside website physical path in IIS?
Thanks.
Advertisement
Answer
You should have PHP files (or a file if you are using the Front Controller pattern) that are inside the root.
These provide endpoints (i.e. have URLs) that browsers and other clients can make requests to.
From there you can load the dependencies from outside the root using require_once
.
The primary goal of keeping your data processing outside the root is to protect your business logic and security credentials from leaking if an HTTP server configuration error causes your PHP files to be served up raw instead of processing them with PHP.
This isn’t served by keeping all your PHP outside the root.