Why are CodeIgniter application files in the public_html folder?

php security apache codeigniter

10,168

Solution 1

The developers of CodeIgniter, EllisLabs, have set up the framework in this way for ease of use. It means that people wishing to try out the framework don't have to fiddle with any permissions settings on their server.

Of course on a production server, you are absolutely right, putting your PHP files in the public HTML folder is not a good idea.

A better way to organise your folders would be:

root
- code_igniter
  - application_folder
    - config
    - controllers
    - models
    - ...
  - system_folder
- public_html
  - css
  - js
  - images index.php .htaccess

The only other change to be made here would be to change line 26 of index.php to read:

$system_folder = "../../code_igniter/system-folder";

Solution 2

You can add the following rule to your .htaccess file to further protect the system and application directories from being viewed (sends a 403 Forbidden error):

# Protect application and system files from being viewed
RewriteRule ^(application|system) - [F,L]

Solution 3

With this structure:

/application
/system
/public
   index.php

You can change in public/index.php these two settings and you are done

$application_folder = '../application';
$system_path = '../system';

Solution 4

Jon Winstanley's answer is perfect, also don't forget to secure file uploads folder, if you have one. I did that by also moving it outside public root, and get the images using below code:

<?php
// $details = getimagesize($_GET["path"] . '/' .  $_GET["image"]);
$details = getimagesize($_GET["path"] .  strip_tags($_GET["image"]));
header ('Content-Type: ' . $details['mime']);
readfile($_GET["path"] . strip_tags($_GET["image"]));
exit;
?>

View more solutions

10,168

Author by

Matt

Updated on June 23, 2022

Comments

Matt almost 2 years

Isn't having all of the files in public view a bad thing?

Surely things such as /system/application/config/database.php should not be publicly visible!
Frank Farmer over 14 years

Unfortunately, sometimes, PHP doesn't get parsed -- usually due to administrator error. That's how all that Facebook source got leaked a while back. That's why you should keep everything out of world-accessible paths to begin with. It's the difference between locking your valuables in your glovebox, and not leaving them in the car in the first place.
MiseryIndex over 14 years

I also like to pull the application folder out of the CodeIgniter folder. I rarely touch CodeIgniter's source and this saves me one level of nesting.
Matt over 14 years

it also means you can reuse the code igniter install for another app without replicating it in its own directory
Matt over 14 years

What does the [F,L] actually do here?
Corey Ballou over 14 years

F adds a header (403 forbidden) and L simply prevents any further rules from being processed.
Matthew Rapati over 14 years

with this setup you also need to change $application_folder in index.php from the default
sed about 9 years

of course before that we sanitize $_GET array by running through each element