Safe to store PHP files above public directory and load them using require_once?

Question

I import website files at the top of each page using:

require_once('../file.php');

Is this the correct approach? Or should I be using a different PHP function/approach to access private files? I'm concerned that this approach may be prone to directory traversal attacks.

Answer 1

Is this the correct approach?

Yes.

Or should I be using a different PHP function/approach to access private files?

No, keeping them outside of your document root should be sufficient. If, for example, you have a Local File Inclusion vulnerability somewhere in your application, you should focus on fixing the vulnerabilities rather than trying to hide your sensitive files.

Security through obscurity is no security at all.

Answer 2

Yep, it a good practice. But, if it impossible - put some files above web site www directory, then you can create .htaccess file (for apache) in private folder with content:

deny from all

It blocks access to any file in directory.