Ajax call to private folder / php file from main site domain (public_html)

Question

I am in the process of migrating my site to a server from its localhost location. In my server root, I want to have a public_html folder that maps to the main domain, and a private folder that contains my resources (models, libraries, templates, php tools, etc.). Currently though I have a few javascript files in the public folder that make ajax calls to php files I want to keep in the private directory. I understand that since the ajax call will be made from the client browser that I can not reference the private folder.

So here are the two ideas I had:

1. Move the php files to the public directory. (Not entirely sure about the security risks, but all they do is make calls to my database the inputs of which I sanitize).

2. Have ajax call a php file in the public directory that does a server side include of the private php file I want to call.

Is option number 2 really a solution to preventing access to a private file outside the public directory? If not, what security issues should I keep in mind if I need to move the ajax called php files to the public directory?

Answer 1

Option 2 as you describe is often called a 'gateway' and it is used to provide a controlled flow of data between the client and secure server files. Option 2 is a valid solution.

edit:

While this method will prevent the other files from being accessible directly, the functionality of the public file or the file it is including still needs to validate the data being sent to it to prevent manipulated data from taking advantage of holes in your system.