Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Accessing php file outside root directory via jquery ajax request

I read it's good practice to store php files containing potentially security risk stuff outside the root directory.

Now I have php files containing stuff for proccessing a registration/login. Those are outside the root directory. Now I catch the form content via jquery and send it to this php file.

But this seems not to be possible with js/jquery:

$.ajax({
    type: "POST",
    url: "../php_includes/register.inc.php", //beyond root path
    data: data,
    })
    .done(function(data, status) {
            //...
    });

Do I have a design error or just doing something wrong?

Whats the "best practice" solution here?

like image 444
Rafael Wörner Avatar asked Nov 14 '14 10:11

Rafael Wörner


3 Answers

A "best practise" would reduce the number of entry points to 1. Rather than having index.php, login.php and register.php you have just one file handler.php that handles all incoming requests (aided by rewrite rules).

handler.php bootstraps your application and contains routing information that determines how a request should be handeld. Modules in your application can register routes and that is how that code gets activated.

All your code can be stored outside of the webroot, only handler.php is exposed. And handler.php can be as simple as:

<?php
include(__DIR__ . "/../includes/bootstrap.php");

Rewrite rule to capture all requests:

RewriteEngine on
RewriteRule ^(.*)$ handler.php?path=$1 [QSA]
like image 152
Halcyon Avatar answered Sep 25 '22 00:09

Halcyon


You wont be able to access any files outside the root directory from the browser (ie. like you're trying to do using Javascript). The entire point of storing files outside the root directory is so that they are not accessible by the client.

It is necessary and safe enough to place registration code inside the document root.

like image 27
JSK NS Avatar answered Sep 26 '22 00:09

JSK NS


You'd rather store security-related stuff like configuration files and alike in an external (non-accessible) directory. But if you need to access information stored in these files, you have to create a controller that will filter the access and provide the information in a secure way if needed.

Apache will not serve files that are not located in the website's root directory.

like image 26
NaeiKinDus Avatar answered Sep 24 '22 00:09

NaeiKinDus