phpdatabasesecurityrequirerequire-once

Safe to store PHP files above public directory and load them using require_once?


I import website files at the top of each page using:

require_once('../file.php');

Is this the correct approach? Or should I be using a different PHP function/approach to access private files? I'm concerned that this approach may be prone to directory traversal attacks.


Solution

  • Is this the correct approach?

    Yes.

    Or should I be using a different PHP function/approach to access private files?

    No, keeping them outside of your document root should be sufficient. If, for example, you have a Local File Inclusion vulnerability somewhere in your application, you should focus on fixing the vulnerabilities rather than trying to hide your sensitive files.

    Security through obscurity is no security at all.