Putting core classes above the web root - good or bad idea?

Question

We are developing several web applications to run on our own server that will share a number of core classes as part of their MVC setup.

I\'m thinking of putting the

Answer 1

Not only is it a good technic but you should do it every time you can!

You never know when you're gonna run into a sys-admin-of-hell that disables PHP and keeps Apache pumping files as full-text! ;)

And I had that experience first hand. All was safe as no code whatsoever was pumped into the users.

Answer 2

Zend Framework is using that technique, which makes the entire application safe from outputting sensitive PHP code as plain text since everything is outside the document root, and using mod_redirect to know what module/controller/action to dispatch to.

A basic project layout looks something like

application
- controllers
- views
- - scripts
public
- .htaccess 
- index.php
library
- Zend

and having ../library in your include path let's you autoload all Zend classes (i.g. Zend_View) easily from anywhere in the application. Naturally, Zend also comes with class autoloaders for view helpers and other custom class prefixes, but this is beside the question scope.

Since everything is outside the document root (/public), the only script a user could see (in case something goes wrong and users start to see exposed PHP code) is a call to the application bootstrap and other initialization lines (i.g. include paths and and some constants, but you could also have all these initialized by including another external file...).

In short, yes it is a good idea, and a good practice, to put the core classes outside the document root. All you need, then, is to add the path to your shared library in the include path list with something like :

set_include_path(implode(PATH_SEPARATOR, array(
    LIBRARY_PATH,
    get_include_path(),
)));

where LIBRARY_PATH is the relative or absolute path to your shared library.

Be aware, however, that more paths you add, the slower autoloading classes will be. It is good practice to only have about 3 paths in there or less. Take a look at how Zend managed to get around this with their autoloaders.