Hacking with PHP has been updated for PHP 7 - click here! >>

Put key files outside your document root

Your document root is the root directory of your web server. That is, if your site is example.com, the root directory would be the directory that http://www.example.com/ points to. For example, on Linux this is often /var/www/html, and on Windows this is often c:\wwwroot.

As long as you have the permissions set up correctly, PHP can read from any file you want inside scripts. However, unless you configure Apache to do otherwise, users will not be able to load files from outside of the document root directly through their web browser. That is, if you place your files in /var/www, and the "highest" directory your visitors can get to is /var/www/html, then the files are safe.


If this was helpful, please take a moment to tell others about Hacking with PHP by tweeting about it!

Next chapter: Remember that most files are public >>

Previous chapter: Choose your file extension carefully

Jump to:


Home: Table of Contents

Copyright ©2015 Paul Hudson. Follow me: @twostraws.