Keeping your root development directory non-browseable

A friend has asked me to clarify some of why & how I structure my development directories , which generally start out like this:

:root directory: 
 - core/ 
 - config/ 
 - vendor/ 
 - www/ 
   --css/ 
   --js/ 
   --images/

 

They were having trouble with the usage of the www folder, acting as the only location for public scripts, images, or javascript, etc., since in their webhost it added a secondary /www/ to the directory structure for any files. (they’re not using pretty urls yet, so they’re just working with naked php scripts in a single public directory at the moment)

Here, in essence, is what I told them.

How about you make a file called awesomepassword.php and give it this content:

<?php define('AWESOME_PASSWORD', 'superCoolPassword76783489'); ?>
Now stick it in your project’s root folder.  Now if you browse to yourDevelopmentUrl/awesomepassword.php you get a blank white page.  Oh well, not a problem, right?  Now, just as an illustration, rename the file awesomepassword.php to awesomepassword.ph and then browse to yourDevelopmentUrl/awesomepassword.ph and see what you get!
Having every script be public isn’t the best approach.
Obviously this typo example isn’t hard to avoid, but there are a variety of other similar benefits to having your root folder not be public.  For instance, your included scripts (classes, methods, functions) could and should not be directly browseable.  Your config files can be non-browseable as well, as per the example above.  Ideally, you could also make the www/ folder really clean, with only a single php file in it, like index.php to be used for pretty urls.
(pretty urls are a great help when coding a site in php, so I’ll get into them at another time, in another post)
Advertisements