I am confused as to what constitutes " best practice" for the structure of a PHP web-based application. Reading this site there are a number of suggestions. One structure frequently mentioned is "do not have any php files inside the document root". While this sounds like good practice, I cannot see how it works - the web server doesn't recognise anything outside the document root. I assume here that document root is the public access directory, something like as shown below:
app-
|
- htdocs - document root
| |
| - index.php
| - css/
| - images/
|
- PHP classes in here/
- Other PHP classes in here.../
Or is it that "app" in the above example is the document root, and the htdocs dir is the publicly accessible area of the site structure?
Following on from that, how do I ensure public access is not available for the files in dirs other than htdocs please?
The concept is simple, especially if you use a front controller based framework whether it be your own or an existing one (like the Zend Framework). When all of the requests come through a central controller the files necessary to handle the request are included as necessary. Included files do not have to be in the web root to work. They just need to be available to the controller to be included and then executed. So, only your controller needs to be in the web root. Everything else can be outside of it.
FYI, this also works with non-OOP applications. You just need to include the files you need in each page.
What does need to be in the web root are any asests like images, styelsheets, javascript files, etc. that are requested by the browser.
While it's true the webserver won't recognize anything "outside" the document root, that only applies to files requested by the USER via an HTTP request.
PHP runs within the webserver, and has no concept of document roots and URLs. it sees only the underlying file system of the webserver's host operating system, and data coming in and going out that conforms to certain standards. The only time PHP would be bound by some web-based restriction is if the webserver itself is running within a chroot jail.
As such, you can put a php file ANYWHERE on the file system, and, assuming permissions are correct, PHP will be able to reach it and run it. It doesn't matter if that file is buried in a directory 500 levels deep somewhere completely outside the document root - if it's reachable, PHP can run it.