nothing500 Posted May 23, 2009 Share Posted May 23, 2009 Is referencing the root with '/' dangerous? Why? Everyone says to reference the doc root with $_SERVER['DOCUMENT_ROOT']. Well, on my server, '/' points to the same location as $_SERVER['DOCUMENT_ROOT']. Is my server setup improperly? I've read opinions on this and still don't see the problems with it, aside from the fact that its an absolute path, so it can't be changed dynamically from one variable. I think my favorite solution for referencing the root is to define a constant, e.g. "ROOT", and use that for all paths. Quote Link to comment Share on other sites More sharing options...
Mark Baker Posted May 23, 2009 Share Posted May 23, 2009 If your $_SERVER['DOCUMENT_ROOT'] is the actual root directory, then you're exposing every file on your system, including password and system files. The server root is normally /usr/local/apache/htdocs for a reason. Quote Link to comment Share on other sites More sharing options...
hitman6003 Posted May 24, 2009 Share Posted May 24, 2009 There are two reference points that you can use... The first is the "document root". This is the directory that is the base for all the webpages on the server. For example, if you install the apache RPM on RHEL/CentOS it defaults to /var/www/html. When you have a link in your html and you put "/" in the link, for example: <a href="/some/random/page.php">test</a> The browser will look to the document root. The other reference point is the file system. When you include a file, using php's include or require functions, it references the file system. So the path you use references the "root" of the file system. This means that doing include("/web/includes/somefile.php"); will look for a file outside of the tree of documents that the web server references. In the above example for a link, the actual referenced file would be at a location similar to "/var/www/html/some/random/page.php". This is important when you are including documents in your php scripts because sometimes you want to put a file to be included outside of the document tree that the webserver can access. For example, if you have a php file that contains your MySQL credentials, you don't want just anyone to be able to use their browser and point to "/some/random/mysql_credentials.php" to get the connection information. For the majority of files though, they are simply code that contains nothing sensitive. Using the $_SERVER['DOCUMENT_ROOT'] variable is a simple way of providing the absolute path for including a file, while that path still remaining flexible (because not everyone has the same document root). Quote Link to comment Share on other sites More sharing options...
nothing500 Posted May 25, 2009 Author Share Posted May 25, 2009 Hot damn -- 2 roots! Great response, Hitman That makes sense -- the client only has access to the document root, so that's its root, but the server has access to everything, so it has a different root. So, this leads me to believe that using '/' on the client side (e.g. in my HTML) is totally harmless because it's only accessing the document root. Correct? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.