Member Avatar for Clawsy

I'm building a Content Management System on my own in PHP & MySql. I thought it's a good idea that all CMS files to be stored secure on the server "before" www folder so that it can't be accesed from the browser (all cms files in one folder). In www folder it's only the TEMPLATE cause I want to separate template from CMS, separate folders. I can include *.php files from folder above but I can't include the JavaScript files and other files that are linked from forms. For example at login: my login form actions on "login.php" which is in folder above root so it can't be accessed.

My question are:
- it is a good idea to store all CMS files in folder above 'www' folder? If so, how can I include the files correctly? If not, what's the best option to place my CMS folder? (remember I must separate the template from CMS. The template only calls 3,4 functions from CMS to show menu, content, etc. so that I can change the template without changing the content)

Thanks. Hope somebody helps :)

  • 3 Contributors
  • 8 Replies
  • 272 Views
  • 6 Days Discussion Span
  • Latest Post Latest Post by Clawsy

Recommended Answers

All 8 Replies

Member Avatar for samarudge

Storing files as, well, files is never a good idea, if stored as PHP files and then include/require(ed) the scripts could contain malicious code. There are two options;
1,
Save the file as .htm, .html, .txt (or some other plain text format)
Include the file with

<?php
echo file_get_contents($FileToGet);
?>

This will get the contents of the text file and echo it to the browser without executing any code inside.
2,
BLOB!
There is a field type in MySQL called BLOB (Binary Large Object) which I use for storing my files, it can hold a large amount of data, all you have to do is output it as you would with any other MySQL field

Member Avatar for samarudge

Storing files as, well, files is never a good idea, if stored as PHP files and then include/require(ed) the scripts could contain malicious code. There are two options;
1,
Save the file as .htm, .html, .txt (or some other plain text format)
Include the file with

<?php
echo file_get_contents($FileToGet);
?>

This will get the contents of the text file and echo it to the browser without executing any code inside.
2,
BLOB!
There is a field type in MySQL called BLOB (Binary Large Object) which I use for storing my files, it can hold a large amount of data, all you have to do is output it as you would with any other MySQL field

Member Avatar for alagirinetaxis

Hi

Wishes For Your CMS

Please Consider:

MVC
--------> Modules
--------> View
--------> Controller

So Please refer this

Member Avatar for alagirinetaxis

Hi

Wishes For Your CMS

Please Consider:

MVC
--------> Modules
--------> View
--------> Controller

So Please refer this

Member Avatar for Clawsy

Unfortunately I don't use any MVC yet cause I don't know :(. But I have 2 questions for *samarudge*:
1. I would have this link echo(ed) in the template header:

<script type="text/javascript" src="indexScript.js"></script>
//but I don't want to echo in the source my script which is in the folder above. How can I do it?

2. I have a form:

<form name="login_form" action="login.php" method="POST"> 
	<td colspan="8" valign="middle" align="center" style="height:30px; width:500px;"> 
 
	<span style="font-weight:bold; font:16px">Password:</span> 
	<input type="password" name="upass"  /> 
	<input type="submit" value="Login" style="width:60px; height:25px;" /></td> 
</form>

The file "login.php" is in the folder above too (if I use your first option). What can I do in this situation? cause the browser can't find it in the root folder of the website.

Hope I did not missunderstood something from you :). Now I must leave and get back in an 1-2 hours or so. Thanks for your interest in my problem!

Member Avatar for Clawsy

Unfortunately I don't use any MVC yet cause I don't know :(. But I have 2 questions for *samarudge*:
1. I would have this link echo(ed) in the template header:

<script type="text/javascript" src="indexScript.js"></script>
//but I don't want to echo in the source my script which is in the folder above. How can I do it?

2. I have a form:

<form name="login_form" action="login.php" method="POST"> 
	<td colspan="8" valign="middle" align="center" style="height:30px; width:500px;"> 
 
	<span style="font-weight:bold; font:16px">Password:</span> 
	<input type="password" name="upass"  /> 
	<input type="submit" value="Login" style="width:60px; height:25px;" /></td> 
</form>

The file "login.php" is in the folder above too (if I use your first option). What can I do in this situation? cause the browser can't find it in the root folder of the website.

Hope I did not missunderstood something from you :). Now I must leave and get back in an 1-2 hours or so. Thanks for your interest in my problem!

Member Avatar for samarudge

Not 100% sure what you mean but if you are in the file
/var/www/html/page/index.php (Local/On server)
and you are trying to access a file
/var/www/html/include/page.php (Local)
you can use the "Double Dot" syntax in PHP

include('../include/page.php');

would include the file
Is this what you meant?

Member Avatar for Clawsy

No, I mean if I have files like *.js and css in a folder like "/var/CMS/script.js" and the www is in the same folder as CMS, how can I make a link from html (which is in 'www' folder) to 'script.js' which is in 'CMS' folder? I gues I cannot...
So, link '/var/CMS/script.js' file in '/var/www/index.html'. What I was trying to do is to make the CMS folder unaccesible from the browser. (secure folder). Thanks for reply.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.