Welcome Guest, Not a member yet? Register   Sign In
Best way to find the system and application folders above the web root in CI3?
#1

One of the first things you notice about CodeIgniter 3 when you install it is that the index.php file is stored in the document root, meaning that when you eventually go to deploy your finished application on the server, someone who knows it's built on top of CodeIgniter can access any file stored beneath. Though I've yet to come across problems regarding the actual PHP source files, as each one is told to cancel execution if someone tries to access them directly.

So how do we solve this problem? The installation guide gives us a brief idea:

Quote:For the best security, both the system and any application folders should be placed above web root so that they are not directly accessible via a browser. By default, .htaccess files are included in each folder to help prevent direct access, but it is best to remove them from public access entirely in case the web server configuration changes or doesn’t abide by the .htaccess.
but that's not good enough. I want specifics. So I dig a bit deeper into the documentation and find this:
Quote:Another good security practice is to only leave your index.php and “assets” (e.g. .js, css and image files) under your server’s webroot directory (most commonly named “htdocs/”). These are the only files that you would need to be accessible from the web.
Again, that's some pretty vague wording. Sure, I did find some other people who touched on the same issue, but never any concrete examples. Specifically, I'm looking for what I should be replacing the $system_path and $application_folder variables with. Thank you.
Also, hi. This is my first post. There doesn't seem to be anywhere to introduce myself, so I thought I'd jump right in.
Reply
#2

(This post was last modified: 09-29-2018, 11:21 AM by ciadmin. Edit Reason: typo )

Take a look at how we are doing it in CI4 ... https://bcit-ci.github.io/CodeIgniter4/c...cture.html
Reply
#3

(09-26-2018, 04:14 PM)ciadmin Wrote: Take a look at hopw we are doing it in CI4 ... https://bcit-ci.github.io/CodeIgniter4/c...cture.html

Yes, I realise that in CodeIgniter 4 this will be something of a non-issue, since it's separated out by default by giving it it's own folder called 'public'. Looking at the code, it seems that you're just using ../ to find the directory above. I did that as a relative path and it behaved oddly for me when it came to deploy my application. By appending it to the end of the absolute path to the front controller though, that might fix a few things.

I can't wait for version 4, by the way. Any news on the release date?
Reply
#4

Yes that's how you set it up in the index.php file in CodeIgniter 3x

On my live server the application and system folders are above the root
and index.php is under the public_html folder. Below is how you access
them.

Folders:

application
system
public_html or public
-- index.php

application folder
../application

system folder
../system
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#5

FWIW, the .htaccess files in both the application and system directories use the exact same Apache directives that make directories "above the root" inaccessible using HTTP requests. To me, this eliminates the need for moving those folders from the "as supplied" locations. Please correct me if my understanding (in terms of security) is wrong.

There might be some slight performance gain in relocating them above the root if the directory specific .htaccess files are deleted. That would eliminate Apache from having to read and respond to directives that are already supplied by Apache's global (or virtual host) configs.
Reply
#6

(This post was last modified: 09-29-2018, 10:36 AM by ItsSeaJay.)

OK, so for the project I'm working on right now, I've decided to make it find the system and application folders like this:
PHP Code:
$system_path __DIR__.DIRECTORY_SEPARATOR.\'../system';
$application_folder __DIR__.DIRECTORY_SEPARATOR.\'../application'

and it seems to work for me. Is that what you meant, ciadmin?
Reply
#7

(09-29-2018, 10:36 AM)ItsSeaJay Wrote: OK, so for the project I'm working on right now, I've decided to make it find the system and application folders like this:
PHP Code:
$system_path __DIR__.DIRECTORY_SEPARATOR.\'../system';
$application_folder __DIR__.DIRECTORY_SEPARATOR.\'../application'

and it seems to work for me. Is that what you meant, ciadmin?

Yup. Better separation of concerns, even if a .htaccess file could prevent access to them Smile
Reply
#8

(09-29-2018, 11:22 AM)ciadmin Wrote:
(09-29-2018, 10:36 AM)ItsSeaJay Wrote: OK, so for the project I'm working on right now, I've decided to make it find the system and application folders like this:
PHP Code:
$system_path __DIR__.DIRECTORY_SEPARATOR.\'../system';
$application_folder __DIR__.DIRECTORY_SEPARATOR.\'../application'

and it seems to work for me. Is that what you meant, ciadmin?

Yup. Better separation of concerns, even if a .htaccess file could prevent access to them Smile

Great! I'm glad that something about this topic exists on the internet now. Thank you.
Is there anywhere I could post about the project I used this in?
Reply




Theme © iAndrew 2016 - Forum software by © MyBB