Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Better security of PHP by keeping include files outside the public folder?

Languages such as Perl, Pythong, etc are usually considered to have a better security comparing with PHP. Apart from possible security holes, one reason can be (I do not know, I am asking) that we do not put the executable files of Perl and Python within public folder. Since PHP files are not executable, it is safe to keep them within public folder.

Is it a wise and practical approach to keep php files outside the public folder to restrict possible access by attackers? If yes, is it common? because I do not see any disadvantage (except a little bit harder handling of file spread in different places); but if it is beneficial for improve security, it is worth of consideration. Since I do not know about the ways hackers attach a php-based website, I have no idea how it can improve security.

like image 644
Googlebot Avatar asked Oct 15 '11 15:10

Googlebot


People also ask

How do I protect PHP files from direct access?

or if you prefer to create a way more simpler approach, you can do this: <? phpif ( $_SERVER['REQUEST_METHOD']=='GET' && realpath(__FILE__) == realpath( $_SERVER['SCRIPT_FILENAME'] ) ) {header( 'HTTP/1.0 403 Forbidden', TRUE, 403 );die ("<h2>Access Denied!

Where should PHP files be stored?

php. Make sure you save the file to your "server's" document root directory. Typically this is the folder named "htdocs" in your Apache folder on Windows, or /Library/Webserver/Documents on Mac, but can be set by the user manually.

Are PHP files secure?

PHP is as secure as any other major language. PHP is as secure as any major server-side language. With the new PHP frameworks and tools introduced over the last few years, it is now easier than ever to manage top-notch security.

Are PHP files public?

If your server is properly configured and there are no bugs in your PHP code, then the contents of a PHP file cannot be accessed by the public. If it's poorly configured or there are bugs, then the contents may be available to any attacker.


1 Answers

Is it a wise and practical approach to keep php files outside the public folder to restrict possible access by attackers?

Yes.

If yes, is it common?

Yes.

but if it is beneficial for improve security,

Your PHP app will typically consist of many individual files. Usually, these will get included from other files. For example, you might have:

index.php
lib/db.php
lib/auth.php

In this example, since all the files are in the document root, an external user could hit the url http://domain.com/lib/auth.php and run that include file directly, independent of the auth system that's supposed to be sourcing it. Will it do anything bad when run by itself? Probably not. But to be safe, you should move the include files outside document root, thus making it impossible for the web server to serve them directly.

(Note that this vulnerability is not exclusive to PHP, and thus keeping your libs outside document root is a good practice, regardless of platform.)

like image 119
Alex Howansky Avatar answered Sep 29 '22 02:09

Alex Howansky