PHP can't access below the web root due to the config of PHP on your system (for exactly the reason of keeping those private things private).
One reason could be the basedir restriction is being used and your home directory isn't included in the allowed dirs. You can get around this though, look up php basedir.
By the way, welcome to WebmasterWorld.com!

Thanks.

I went to Php.net and searched for basedir but didn't come up with anything. Any suggestions? Also, it might be worth noting that for testing purposes I was trying to access the file from a .html file rather than a .php file. Thanks again!

-Adam R.

Welcome to WebmasterWorld adamreiswig,

if it is a shared host it may not be allowed, though if you can see a folder in ftp that is above the webroot you could grab the full path from root out of your ftp program and use that full path to include the file.

First, a small nomenclature correction. The phrase you want is above the webroot. Below the webroot would imply a file that's within the webroot folder.

As to your problem, you're not being specific enough

1. What php function are you using to open the file
2. What error message, if any, are you getting (or if no error message, what leads you belive it's not working)
3. Show us *just enough* code to see what's going on.

Adam!

"../" Takes you to a level UP , not to a level low.

Ok, the host I am using is an account I created from a reseller account which I purchased. I do have access, via ftp and a web based control panel, to the directory "above" (thanks for correcting me there :) ) the webroot directory.

I actually am not trying to access above web root directory via .php yet. Just for testing I have been trying to access it via my index.html file. Here is a snippet of my code:

<link rel="stylesheet" type="text/css" href="/../armain.css" />

The "armain.css" is the file I stuck outside the web directory, "public_html".

My thinking was if I can access a file in this directory via a standard .html file then I should be able to access files in the same directory via a .php file.

I am not getting any error message but I know it is not working as the style sheet is not being applied to my .html file. I also tried to access a .jpg file and could not see it either.

[edited by: jatar_k at 8:18 pm (utc) on July 14, 2005]
[edit reason] sorry no personal urls thanks [/edit]

What you're trying isn't possible, by definition.

The whole idea of a webroot folder is "the public can only access files in this directory". Any file you link to (href=, src=)from an html page has to be in the webroot. This is Just How the Web Works™. That's basic HTML, and has nothing to do with PHP.

Hope that helps some.

[edited by: gliff at 8:17 pm (utc) on July 14, 2005]

Hmm.... I'm no php expert but there should be info on basedir somewhere, maybe at the apache site? In my httpd.conf the VirtualHost entries are like this:

<VirtualHost xx.xx.xx.xx>
...
<IfModule mod_php4.c>
php_admin_value open_basedir "/home/me/:/usr/lib/php:/usr/local/lib/php:/tmp"
</IfModule>
...
</VirtualHost>

Only the directories in there or entries below them (in the correct sense :) ) can be accessed from a PHP script.
This probably doesn't directly help you because you're hosted but if this restriction is in place then there's your problem.
You may want to ask your host about this but they probably won't change it for you.

Maybe you can put the config files in a password protected (.htaccess) web directory instead?

From PHP Safe Mode - Manual [php.net]

open_basedir string

Limit the files that can be opened by PHP to the specified directory-tree, including the file itself. This directive is NOT affected by whether Safe Mode is turned On or Off.

When a script tries to open a file with, for example, fopen() or gzopen(), the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to open it. All symbolic links are resolved, so it's not possible to avoid this restriction with a symlink.
...

I've done it before on a different host. As far as I can tell the two are setup almost identical.

I've read in a couple of places where it was recommended that .php files that contain info such as sql passwords, etc. be placed/hidden below the webroot so that if the php server failed the sensitive info could not be access by prying eyes. My host was upgrading Apache a few weeks back and my php was actually down for about 15 minutes. I had access via my browser to all my .php files.

Is there a better way to protect my files. Is there a way using folder permissions to deny access except when its from a local request? Thanks again!

-Adam R.

What you're trying isn't possible, by definition.

This isn't true, I'm able to get to files elsewhere on the server by adding the directories to the open_basedir line in httpd.conf

Yes physics, I could password protect a folder in the web tree. But since I was able to achieve this once before, its really bugging me I can't remember how. :) But thanks for the idea.

wait a minute, I think we are spiralling out of control here

<link rel="stylesheet" type="text/css" href="/../armain.css" />

by definition this defines an href which will be within the public portion of the site, this has nothing to do with php including via the filesystem

if you did an include for a file, and I don't mean for css but for, as per your example, your db settings

include '/usr/home/adam/config.php';

this would work, though I made the path up, for the same example your web root could possibly be something like

/usr/home/adam/public_html

does that make any sense?

[w3.org...]

This attribute specifies the location of a Web resource..

I would think that a file outside of the web root would not classify as a web resource because it exists outside of your web accessible content, that's my interpretation

First, the Apples.

Physics, in the example adamreiswig gave he was trying to create a link, in an HTML file, to something that's outside of the webroot. This can't be done, and it's a good thing it can't be done

http://example.com/../../../etc/oh_no_my_passwords!

The whole idea of defining a webroot is to say "hey, only serve these files over http"

Now, the oranges.

Adamreiswig, you're correct that it's good practice to store php files that contain sensative information outside the webroot.

In its default configured state, PHP can open/include/etc a file from anywhere on the file system. This is deemed "secure" because it would take the actions of a malicious/incompetent system user and a somewhat poorly configured server to "use these powers for evil".

However, as Physics mentioned, you can configure PHP to disable this behavior, and only allow files to be opened, by php, from certain locations.

However, before you go hunting down (or is that up (-: ) the open_basedir path, you want to make sure that's what's really happening.

So, create a simple test case PHP file that tries to open a file above the webroot, with PHP code and let us know what the error message is. If it's something like "Warning: open_basedir restriction in effect. File is in wrong directory", then you can then attempt to configre PHP to allow you to do this. If not, post the message and someone may be able to help.

Footnote: It should be noted that not all extensions obey the open_basedir instructions, so you should not rely on it real security. Which has nothing to do with the question being asked.

I don't have time tonight to run the php test you requested but I will try to do so tomorrow. Thanks again for all your help.

gliff: OK, you were answering message #7 and I thought you were adressing msg #1 which was:

I'd like to hide sensitive info in files below the webroot. Say sql access passwords in a .php file. I have tried using "/../[file name]" with no luck.

Anyway in summary you can include files with PHP from outside your webroot (depending on the php/apache config) BUT you can't do this in HTML.

Well, I went ahead and created a php file to read a text file above the web root. I set the path to:

$File = "/home/[username]/file.txt";

and it read it. I guess last time I did this it was from php and not from an .html file like I thought. Thanks a lot for everyone's help. I really appreciate it. :)

-Adam R.

Adam,

I'm a bit late on this, but consider doing your test with phpinfo() 'hidden' above the webroot.

If that works, you'll be certain, AND have valuable information about your server.

Besides, another advantage of storing part of the code above the public domain is that when the PHP engine is down, nobody will see your source code.

Indeed, when the engine is down, your www.mydomain.com/myfile.php will read as a simple *.txt file, unveiling your precious code.

When hiding some essential code snippet above the public domain, and calling that in the first line of a 'public' file with include() or require(), if the PHP engine is down, it will thus NOT execute the include() or require(), so that nothing is diplayed, because the page can not be loaded at all.

I found that very usefull.

Notawiz

echo $_SERVER['DOCUMENT_ROOT'];
will give you your webserver's document root as defined in httpd.conf (which can be for example: /www/public_html/)

if you want to include some file that is level up your public html you would simply do:

@require($_SERVER['DOCUMENT_ROOT'].'my_secret_file.php');

..
your explanation was a bit confusing so im not sure if this is what you want.. but i suppose so :)

cheers!