AJAX and PHP includes

conorgriff

Hi guys, I've done some googling but can't find a satisfactory answer to this. I have a website written in PHP which uses AJAX. Basically I have some JavaScript functions which access my sites database via PHP scripts.

To achieve this I take user input from forms using JavaScript and use POST to send it to my scripts. For security I have all scripts which use the database in an includes folder which is not directly accessible from the root of the website. The only way I have been able to achieve this is as follows:

/
    includes/
    site-directory/
        cgi-bin
        images/
        scripts/

Using the directory structure above, I keep all PHP scripts for database access in the directory includes/, this is so that in the event of the PHP parser on the server being down the SQL queries would not be exposed. When I send POST data from the JavaScript function I can't seem to be able to send it to these includes directly. The only way I've been able to do it is by sending the POST data to a file in the site-directory/ and using a PHP include to include the PHP functions contained in the includes/ directory

So for example, my JavaScript function might be

function post() {
 request.open("POST", 'www.mysite.com/logon.php',true);
 var userid = document.getElementById("userid").value;
 var password = document.getElementById("password").value;

 //Send the proper header infomation along with the request
 request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");

 request.onreadystatechange = output;
 request.send('userid='+userid+'&password='+password);
}

and then the file www.mysite.com/logon.php might look like

[PHP]<?php
include '../includes/logon.php';
?>[/PHP]

and the file /includes/logon.php then contains the actual code to access the database.


So my question is, is there some way to tell the JavaScript function to access the included file directly without using the www.mysite.com/logon.php file?

louie

yes you can by setting up a variable like this:

var home_path = "http://www.mysite.com/includes/";

// and in you javascript code you can use

function post(url) {
 request.open("POST", home_path+url,true); //where url = page to be accessed like logon.php

misterq

No

You are saying that you are storing the includes directory outside of the web root and yet you want to access it directly. You can't have it both ways mate!

You don't need to store all the php files outside of the web root, just the sensitive stuff like database username, password etc. You can have a file that stores all this in an includes directory outside of root and your php files in the web root, including this file whenever the code needs to.

conorgriff

misterq wrote: »

No

You are saying that you are storing the includes directory outside of the web root and yet you want to access it directly. You can't have it both ways mate!

You don't need to store all the php files outside of the web root, just the sensitive stuff like database username, password etc. You can have a file that stores all this in an includes directory outside of root and your php files in the web root, including this file whenever the code needs to.

Yeah I was thinking about it this afternoon and that makes total sense. If the files are outside the web root so nobody can view them then that includes the JavaScript functions too Doh! Dunno why it didn't dawn on me before now. Cheers for the replies

CuLT

conorgriff wrote: »

Yeah I was thinking about it this afternoon and that makes total sense. If the files are outside the web root so nobody can view them then that includes the JavaScript functions too Doh! Dunno why it didn't dawn on me before now. Cheers for the replies

Yes, not to beat a dead horse here but for anyone else reading it's important to note that Javascript is client-side, while anything in PHP/ASP/Perl is server-side.

Any client-side scripting will have the same access as the client themselves do. This is vitally important from a security POV, let alone a functionality one