PHP Includes in Apache Password Protected Directories

(THIS IS A DUPLICATE, I FORGOT A TAG, PLEASE FORGIVE)

I'm writing a small CMS for a client using my own little framework and am running into one issue (not 100% sure it's an issue, but I'm sensing it will be).

So, for example, I have a News.php class that handles all of my Blog updates (CMS user input) and output (display of blog data on actual site). Now, because It makes me feel safer, I tuck all my classes that have to do with the CMS in a password protected "admin" folder.

The problem here arises when I need to utilize my nifty News.php class for the "View" layer of the site. I'm assuming since the class will be sitting in a password protected folder (admin/includes) anyone viewing the blog page will be prompted for the user and login for that folder in order to view the blog contents.

Is there a way of letting local files access password protected directories without being prompted for user and password info? (or does this happen?)

AND OR

Would you recommend storing my classes in a separate area of the site. I feel like the more locations I store my classes in the more complex my includes become, which can quickly turn into a nightmare. My ultimate goal would be to have ALL of my classes safely tucked away somewhere. Instead, as it is, I've been duplicating some classes for use outside or inside the admin directory.

Thanks in advance for the input.

If you care to elaborate, how am I accessing them If I'm writing a local path? ie require_once('includes/news.php') I just tried it out, and it ran fine. If I write out the full URL ie requre_once('http://domain.com/admin/includes/news.php') I get an access error. Is PHP interpreting how I access these files based on the path?

Jascha 2010-08-03 20:13:24

@Jascha don't try to include files remotely (using domain.com). Enter the relative filepath. If you don't want remote users to access news.php directly, move that file to outside of the www-root (where the index is) and include it from there.

baloo 2010-08-03 20:25:04

awesome answer, thank you. I've been writing my admin area as a totally different site... but, obviously the duplicate class issue is just redundant. I'm not sure why I figured I would run into the .htaccess issue. I know with ajax calls I often have to run the full url (ajax is particular about xss security) I guess my concern is when I'm including, or running an ajax call to a class my directory structure changes on account of where I'm calling from... so to solve some of those issues I might run the full url (using the server variables) to my file which would route me through .htaccess.

Jascha 2010-08-04 02:27:55

@Jascha your concern should be in the difference between **client** and **server**. you have to distinguish **local filesystem access** when your program working with **filesystem**, from browser calls to your server which performed via HTTP connection. AJAX calls is a latter one and has nothing to do with filesystem. in short, you have to distinguish filesystem from HTTP

Col. Shrapnel 2010-08-04 04:01:58

@Col.Shrapnel, thanks for the input. Distinguishing the two definitely helps my logic. I guess my more specific problem is how do I positively identify a root for my filesystem if I'm not sure where my end file will be located? Going through the domain http://mysite.com/admin/myfile.php helped because I can always track that down. But, if I call my AJAX handler class and then in my AJAX handler class include more classes that are also require other files (but this time from a different location because the ajax class is in the SAME directory) How do I make sure I have the right file path?

Jascha 2010-08-04 04:18:52

I'm probably over complicating this, but, it seems to be an issue I run into where I have to include files from two different locations depending on where the original file is being included from.

Jascha 2010-08-04 04:19:50

@Jascha use relative paths such as `../../` or use `$_SERVER["DOCUMENT_ROOT"]` you should look at `phpinfo()`

Rook 2010-08-04 04:23:02

@Jascha actually only a latter one will help with your problem, when you `not sure where end file will be located`. Absolute paths are for this and $_SERVER["DOCUMENT_ROOT"] is the answer to your question. Of course you don't need to identify a root for your filesystem (which is always `/`) but you positively need to know an absolute filesystem path to a directory where your webserver resides. $_SERVER["DOCUMENT_ROOT"] is for this

Col. Shrapnel 2010-08-04 04:38:49

@The Rook and @Col.Shrapnel ... you guys rock. I have one more question for you guys. If my index.php file is buried who knows where on a server and makes a call to $_SERVER['DOCUMENT_ROOT']/myClasses/importantFiles.php will I always end up in the right directory?

Jascha 2010-08-04 05:05:42

@Jascha yes so long as this index.php is in the same folder as myCLasses.

Rook 2010-08-04 05:12:02

@Jascha yes. that's why you have to use this variable. no matter where index.php is located, in the same folder with myCLasses or not.

Col. Shrapnel 2010-08-04 06:55:40

@Col. Shrapnel meh English is so ambiguous, he'll figure it out.

Rook 2010-08-04 07:38:19

ansaurus

tags:

views:

answers:

PHP Includes in Apache Password Protected Directories

related questions