Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Not Install inside the document root
  • Hi! I'm new in fuelphp, coming from CodeIgniter, I've started some tests on fuel. I've installed it and I'm working OK with fuel all in my local document root under /fueltest, but something is circling my head, the part of the installation guide that say "for security reasons it is strongly advised NOT to install Fuel inside your webserver's document root" Why is that? that's something I've never done with CI... That means that in production it should be installed as:
    /
      fuel/
        app/
        core/
        packages/
      public_html/
        public/
           .htaccess
           assets/
           index.php
           oil
    

    or how?
  • Sorry to hijack an old topic, but I feel this has relevance to what has been said before. I too am struggling with the fact that I have to place the fuel directory outside of the public document.
    I will be running at least two installations of FUEL on my host.
    If I understand your docs correctly, this is how the situation will turn out to be:
    /
    |- app-1
    |- app-2
    |- FUEL-for-app-1
    |- FUEL-for-app-2
    

    Everything app-1 & app-2 needs (including the view-files) will be written in FUEL-for-app-x
    The folder app-x is only used to have a single point of entry (index.php) and some assets... Do I understand this correctly? --
    Thanks,
    Jeroen
  • Guido R wrote on Saturday 7th of May 2011:
    Thanks, I've got it now! But isn't this something that can be mitigated with an .htaccess file and "Deny from all" and then on every php file, the first line something like:
    <?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');
    
    as CI does? which is a better practice? because I think some hostings doesn't execute the php files outside the document root

    I personaly know one well-visited site, which takes money for membership, and one day, web server stopped parsing PHP files and you could just download php files for 1 hours - which leads to REAL security problems.... but when you have files outsite webroot - after such a problem occur - the worst will happen that people will just download index.php file, which is 'nothing' - so you stay secure enough :)
  • I think it's supposed to be like this:
    /
    --fuel/
    ----app/
    ----core/
    ----packages/
    --public_html/
    ----.htaccess
    ----assets/
    ----index.php
    ----oil
    
    
    Edit: fixing formatting. Maybe this forum should be open-sourced so that someone who's got time can work on the many deficiencies.
    Edit 2: Although 'supposed to ' is probably the wrong way to say it. My illustration is the 'default' way to do it, but you can put the fuel directory wherever you want as long as you set the right location for 'fuel' in app/config/config.php
  • Jelmer Schreuder wrote on Friday 6th of May 2011:

    Yes, I've readed the docs, but it's not very clear, because there it seems to be installed like:
        / (??) is this public_html?
           fuel/
             app/
             core/
             packages/
           public/
             .htaccess
             assets/
             index.php
             oil
    

    But isn't that all inside document root? and why shouldn't /fuel be inside document root?
  • From the docs mentioned above:
    Move the files to your server:
    - Note the public directory in the source equals your web server's public document directory i.e. public_html, public, htdocs, etc. Move its contents to there or a subdirectory of the webroot where you want to use Fuel.
    - Placing the fuel directory outside of the public document directory is encouraged for security reasons.
    - Edit the paths in index.php to point to your app, core & packages directories.
  • Guido: You're misreading the docs, slightly. The "Install inside the document root" section title actually means "If you decide to install in the document root, you must do the following". The recommendation is that you do not put the 'fuel' directory in document root. If you decide to ignore that recommendation, you'll need to follow the instructions in the "install inside the document root" section.
  • Thanks, I've got it now! But isn't this something that can be mitigated with an .htaccess file and "Deny from all" and then on every php file, the first line something like:
    <?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');
    
    as CI does? which is a better practice? because I think some hostings doesn't execute the php files outside the document root
  • Guido: Sure, but there's always the potential for human error if you rely on .htaccess and exit() alone. If you put fuel completely outside of your public path, that removes the additional potential for human error messing up your protection scheme. See what happened at tumblr for a good example of such a screw-up. If you have a reasonable host, you'll be able to put fuel outside of the public path and still execute the php files, and your app will be more secure. Edit: added a better link to the Tumblr story.
  • Thanks for the answer Kurt, I will have this in mind

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion