I’ve been told it’s good practice to keep as much of my PHP files outside of public_html whenever possible.
It’s been suggested to me to use define magical constants to refer to files outside of public_html which is fine, I can go one directory up out of public_html by doing that.
My question now is this:
-
What are the differences between webroot and document root?
-
To prevent stuff like directory traversing, is it OK to just refer to a folder one directory up outside of public_html? Or do I need to go further, many directories up to ensure those files cannot be accessed?
I also want not just to avoid/prevent directory traversing but to hide important files like my connection file that contains my MySQL username and login details every time it makes a connection for example.
Webroot and document root are just two different terms that, in the case of web development, mean the same thing.
Only files inside the webroot (in your case
public_html) can be accessed over the web. Anything outside of it can only be accessed by the server itself. So, you can create a folder next topublic_htmlfor all your web-related files that you don’t want web-accessible.However, bear in mind that users won’t ever see the PHP source, since it gets executed before the file is sent to the user. So that means that even if a user tries to access your “connect to the database” file, all they’ll get is an empty page, and no trace of your login credentials.