PHP file directories on a web server

There are two types of PHP source files: directly-called page scripts that generate a web page for a visitor, and indirectly-called include files that define functions and reusable features. The two different types of file should be kept in different directory trees on your web server.

Page scripts

The scripts that are directly requested by visitors to your website need to be in your publicly-accessibly web directories. For instance, a page called showthread.php that displays a forum posting, or a page called submitfeedback.php that processes feedback form data. These pages must be directly accessible by visitors, so they have to be somewhere within your public web directory structure (unless you're using fancy URL rewriting tricks).

Include files

However, PHP files that are not directly requested by visitors to your website need not be kept in your publicly-accessible folders. Files that do nothing but define functions for other scripts will only clutter up your public directory tree. And include files that instantly echo HTML output as soon as you include them, without having to call a function first, should be kept out of your public directories. Otherwise there's nothing to stop other websites remotely including them and displaying your content on their site.

Instead, such include files should be kept in a directory above your public web document root, so that people outside your web space cannot access them. Your PHP scripts will still be able to include these files, but no one else should be able to. For instance, suppose the filepath to your public web root (document root) is the following on your server machine:

/var/www/mydomain.com/public_html/

such that when someone requests http://mydomain.com/index.php in a web browser, the following file on your server machine is accessed:

/var/www/mydomain.com/public_html/index.php

Because index.php is a page script, and people ask for it directly, it's obvious that this needs to be in the publicly-accessible directory tree, under public_html. But suppose the PHP code inside index.php includes a file called randomizer.php which chooses a random quote and returns the HTML for displaying that quote on the current page. It's not a great idea to put randomizer.php in the public_html directory, because we don't want other sites including it.

Instead, it's better to put randomizer.php in its own directory above the public_html directory, so that it cannot be requested directly by people outside of your web space. For instance, you could store it in the following path:

/var/www/mydomain.com/php_includes/randomizer.php

PHP should have permission to include this file by making the following call:

include '/var/www/mydomain.com/php_includes/randomizer.php';

However, if you're worried about a change in directory structure breaking all of your code (for instance, if you change from one web host to another) then the following code should work, so long as you always store randomizer.php in a directory called php_includes one level above the public web directory:

include $_SERVER['DOCUMENT_ROOT'].
        '/../php_includes/randomizer.php';

So long as the DOCUMENT_ROOT environment variable is correct on your web server, you won't need to change your code even if the path to your public web directory changes. Just keep your include files in suitably-named directories one level above your public web root, and they remain inaccessible to the outside world, while being tidily stored out of the way ready for inclusion in your PHP page scripts.