Safe to store PHP files above public directory and load them using require_once?

Question

I import website files at the top of each page using:

require_once('../file.php');

Is this the correct approach? Or should I be using a different PHP function/approach to access private files? I'm concerned that this approach may be prone to directory traversal attacks.

yes, keeping "private" stuff outside of the document is always a good idea in general, not just for php files. php doesn't care where the files are, as long as they're reachable and readable when needed. — Marc B, Jul 28 '15 at 17:30

score 2 · Answer 1 · answered Jul 28 '15 at 18:00

2

Yep, it a good practice. But, if it impossible - put some files above web site www directory, then you can create .htaccess file (for apache) in private folder with content:

deny from all

It blocks access to any file in directory.

answered Jul 28 '15 at 18:00

deniskoronets

520
3
15

score 2 · Accepted Answer · answered Jul 28 '15 at 18:48

Is this the correct approach?

Yes.

Or should I be using a different PHP function/approach to access private files?

No, keeping them outside of your document root should be sufficient. If, for example, you have a Local File Inclusion vulnerability somewhere in your application, you should focus on fixing the vulnerabilities rather than trying to hide your sensitive files.

Security through obscurity is no security at all.

Safe to store PHP files above public directory and load them using require_once?

2 Answers2