Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Accessing php file outside root directory via jquery ajax request

Tags:

javascript

jquery

ajax

php

I read it's good practice to store php files containing potentially security risk stuff outside the root directory.

Now I have php files containing stuff for proccessing a registration/login. Those are outside the root directory. Now I catch the form content via jquery and send it to this php file.

But this seems not to be possible with js/jquery:

$.ajax({
    type: "POST",
    url: "../php_includes/register.inc.php", //beyond root path
    data: data,
    })
    .done(function(data, status) {
            //...
    });

Do I have a design error or just doing something wrong?

Whats the "best practice" solution here?

like image 444
Rafael Wörner Avatar asked Nov 14 '14 10:11

Rafael Wörner

3 Answers

A "best practise" would reduce the number of entry points to 1. Rather than having index.php, login.php and register.php you have just one file handler.php that handles all incoming requests (aided by rewrite rules).

handler.php bootstraps your application and contains routing information that determines how a request should be handeld. Modules in your application can register routes and that is how that code gets activated.

All your code can be stored outside of the webroot, only handler.php is exposed. And handler.php can be as simple as:

<?php
include(__DIR__ . "/../includes/bootstrap.php");

Rewrite rule to capture all requests:

RewriteEngine on
RewriteRule ^(.*)$ handler.php?path=$1 [QSA]
like image 152
Halcyon Avatar answered Sep 25 '22 00:09

Halcyon

You wont be able to access any files outside the root directory from the browser (ie. like you're trying to do using Javascript). The entire point of storing files outside the root directory is so that they are not accessible by the client.

It is necessary and safe enough to place registration code inside the document root.

like image 27
JSK NS Avatar answered Sep 26 '22 00:09

JSK NS

You'd rather store security-related stuff like configuration files and alike in an external (non-accessible) directory. But if you need to access information stored in these files, you have to create a controller that will filter the access and provide the information in a secure way if needed.

Apache will not serve files that are not located in the website's root directory.

like image 26
NaeiKinDus Avatar answered Sep 24 '22 00:09

NaeiKinDus
Sign in to Comment

Related questions

Area Chart with smooth lines possible with D3.js?
JavaScript - Owner of "this"
Codemirror- linting - Is there a event to trigger linting explictly?
grunt-contrib-clean to remove all folders/files except for one folder and its contents
Banned inline style CSP and dynamic positioning of HTML elements
how to return an array from php to ajax response in javascript
Parse: Promise.when with many promises?
Declaring google map markers in a loop
ng-model does not trigger change event
D3 - Create Dynamic "Border" Rectangle around SVG group
How to initialize a select2 disabled
how we set marker label content by javascript in google map api?
Google Maps JavaScript API v3 / Data Layer / MarkerClusterer
jQuery slideUp / slideDown not animating
How to set manual default image, if image is not available on my site using js?
Create multiple lines of text with Snap.svg
Avoiding callback hell in nodeJs / Passing variables to inner functions
How can I color specific letters in html element text? [duplicate]
How to get random word using Wordnik API in Javascript?
Cordova - Deprecated attempt to access property 'userAgent' on a non-Navigator object

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!