NYCPHP Meetup

NYPHP.org

[nycphp-talk] FUNDAMENTALS #1: Site Structure

Sexton, David David.SextonJr at ubs.com
Thu Sep 4 10:47:04 EDT 2003


I try to keep all the includes in a central location that is not under the
web root. The reason is that it's easy to use components across multiple
sites and everything is easy to locate. I typically use a file naming
convention for the include files within that central directory to identify
which ones are site specific or general purpose or whatever the case may be.

I don't really feel that exposure is much of an issue because I haven't
heard of any vulnerabilities where a user can stop the server from parsing
the PHP code. I have, however, seen exploits on unpatched NT servers that
allow you to read any file on the target's filesystem using simple DOS
commands. SO, I guess if you're up to date on all your patches, security
concerns shouldn't influence anyone's decision to place includes in location
A rather the B.




-----Original Message-----
From: Jeff [mailto:jsiegel1 at optonline.net]
Sent: Thursday, September 04, 2003 6:59 AM
To: 'NYPHP Talk'
Subject: [nycphp-talk] FUNDAMENTALS #1: Site Structure


FUNDAMENTALS #1: Site Structure:  Where to Locate Includes?

Index.php is always located in a website's document root, /var/www/html/
on 
a Linux box.
Where should includes be located?

Here are some possibilities:
* in the same directory, /var/www/html/
* in a subdirectory of document root, /var/www/html/includes/
* in a parallel directory to document root, /var/www/includes

What are the advantages and disadvantages of each possibility?
IN THE SAME DIRECTORY
* simple
* but confusing and cluttered if there are more than just a few
IN A SUBDIRECTORY
* provides a logical place for them
* but exposes them to browsers
IN A PARALLEL DIRECTORY
* provides a logical place for them
* doesn't expose them to browsers
* but perhaps write privileges are not available (or needed?)

What does exposure matter?
If the include file contains html, it will be visible in the calling
file's 
source code.
If it contains php code (like a database connection), it will never be 
visible anyway.

Are there important principles here, or is location just a matter of 
preference?

=======================================================================
Don't know what this posting is all about?
See: http://lists.nyphp.org/pipermail/talk/2003-September/005049.html
=======================================================================

Jeff

_______________________________________________
talk mailing list
talk at lists.nyphp.org
http://lists.nyphp.org/mailman/listinfo/talk


Please do not transmit orders or instructions regarding a UBS account by
email. The information provided in this email or any attachments is not an
official transaction confirmation or account statement. For your protection,
do not include account numbers, Social Security numbers, credit card
numbers, passwords or other non-public information in your email. Because
the information contained in this message may be privileged, confidential,
proprietary or otherwise protected from disclosure, please notify us
immediately by replying to this message and deleting it from your computer
if you have received this communication in error.  Thank you.

UBS Financial Services Inc.
UBS International Inc.




More information about the talk mailing list