Getting the relative path to the document root

[gsingh2011]

I have a CSS file that all of my HTML files include. I don't like the idea of having the absolute document root path displayed in the HTML code when the file is included, so I don't want to use $_SERVER['DOCUMENT_ROOT'] as the basepath to the file. Is there a way for me to get the relative path to the document root?

Edited May 26, 2012 by gsingh2011

[Guest So Called]

Could you be a little more clear in your question? If it's an external CSS file then just put it in the same directory as your index.php, and refer to it in your <HEAD> section. If you're generating HTML with a PHP script then put the CSS file in the same directory as your index.php and and don't add any path information. But site visitors shouldn't see the include statement anyway. I don't see any reason site visitors should see your base path information except when errors occur, but that's a whole 'nother thing, and you can prevent that too. It seems likely I misunderstand your question. By the way, I don't like site visitors seeing my base path information either. Honest site visitors have no use for the information and probably don't understand it, while hackers might find some way to misuse the information and my policy is never give hackers anything. I've even removed PHP's X-Powered-By header, and my site doesn't use .PHP URL names. Maybe I'm running PHP, maybe it's just really clever HTML.

Edited May 26, 2012 by So Called

[Don E]

So Called, To remove PHP's X-Powered-By header, is that done in the php.ini file?

[gsingh2011]

Could you be a little more clear in your question? If it's an external CSS file then just put it in the same directory as your index.php, and refer to it in your <HEAD> section. If you're generating HTML with a PHP script then put the CSS file in the same directory as your index.php and and don't add any path information. But site visitors shouldn't see the include statement anyway. I don't see any reason site visitors should see your base path information except when errors occur, but that's a whole 'nother thing, and you can prevent that too. It seems likely I misunderstand your question. By the way, I don't like site visitors seeing my base path information either. Honest site visitors have no use for the information and probably don't understand it, while hackers might find some way to misuse the information and my policy is never give hackers anything. I've even removed PHP's X-Powered-By header, and my site doesn't use .PHP URL names. Maybe I'm running PHP, maybe it's just really clever HTML.

Let me clarify the issue. My document root is something like /var/www/. I have the following two files, /var/www/index.php and /var/www/foo/index.php. I have a CSS file /var/www/css/styles.css. In both index.php files, I want to include the CSS file. In the link tag, I can set href to

href="<?= $_SERVER['DOCUMENT_ROOT'] ?>css/styles.css"

for both files. The only issue is now if someone views the source, they see /var/www/css/styles.css. I'd prefer that in the first index.php they would see css/styles.css and in the foo/index.php they would see ../css/styles.css.

Edited May 26, 2012 by gsingh2011

[Guest So Called]

@ Don: No, much easier than that.

	header('X-Powered-By:');

Put that in your script before you have echoed any HTML output. You will get an error message otherwise, and the error might even include your base path information.

Edited May 26, 2012 by So Called

[Guest So Called]

@ gsingh: Still not clear. Are both /index.php and /foo/index.php part of the same website, say perhaps example.com and example.com/foo? If so,

href="/css/styles.css"

What I mean to say is there is no need to use the $_SERVER variable. Or if you do, use $_SERVER['HTTP_HOST'].

Edited May 26, 2012 by So Called

[justsomeguy]

There's a setting in php.ini called expose_php that you can use to disable the headers.

[Don E]

There's a setting in php.ini called expose_php that you can use to disable the headers.

Yes noticed that, thanks for the confirmation.

[Guest So Called]

More interesting reading: http://php.net/manual/en/security.hiding.php Noting that security by obscurity is of virtually zero worth. My reason for hiding the PHP header was amusement more than anything else. My code is as secure as I can make it, whether or not anybody can tell I'm running PHP scripts.

[Guest So Called]

Additional tip on not leaking out your absolute document root path: Whenever including a file, test for whether the file exists before you include it. If it exists then include it. If not, display your own error message. Otherwise a failed include or require will emit an error message with the path information included.