I'm making a script that lets my users open the page, vote for our site, and then get a password to some restricted content on the site. However, I plan on storing the password in a file outside public_html so it cannot be read directly from the source code.
Is there any way to do an AJAX call to a file above public_html? I don't want to AJAX to a file inside public_html that will read the file, it'll just defeat the purpose.
No, you cannot do that.
The web server does not allow you to do that.
Also, it is highly insecure to expose access to non public_html files on the server.
Not directly, no. And, frankly, thank goodness for that (since js is executed client-side, and the client should never have access to the web-server above public_html).
You can, however, use Ajax to call a php script inside the web root that has access to documents outside of the web-root. This way you're still keeping the password out of public reach, but still allowing your users to make use of it.
The down-side is that the password might make it to the client-side in the Ajax call (depending on what your Ajax call does). Basically, if JS can get access to the password then so can any interested user.
No, you can't have an AJAX call to a file that's not served by the web server (I'm assuming the file above public_html doesn't have an apache ALIAS or virtual directory setup).
To accomplish what you're trying to do, create a script (php?) on your site that AJAX calls and this script will either:
No. An AJAX request is simply a request like any other that loads a resource from your server. The only difference is that it exposes the result to javascript on an already loaded page instead of loading a new page. So if an AJAX request can get this secure file, than anyone can.
You could setup a proxy script in some web application programming language to fetch the file from disk and send it along for you. But then it wouldn't be much different from putting the file right in the public directory.
You may need to rethink your approach here.
Why don't you do an AJAX call to some view function on the server that can access the file you need and then return whatever data to the AJAX request?