0

I'm new to web development. I have issues with having files stored in different folders (for safety reasons). Here's the index page which returns an error

<head>
   <script src="../scripts/script.js"></script>
</head>
<body>
   <?php include "../php/page.php"; ?>

   Other code here...
</body>

My file structure is as follows

www/
   html/
      index.php

   scripts/
      script.js

   php/
      page.php

I don't get why including php file works (row 5 in the example code provided) and including javascript doesn't (row 2). I guess you're interested about the error so here's what Google Chrome's console says

Failed to load resource: the server responded with a status of 404 (Not Found)

It also shows that link to the resource and it appears to look for my.server.address/scripts/script.js like it doesn't care the ../ part. Can someone explain this behaviour?

prkmk
  • 343
  • 1
  • 4
  • 11

2 Answers2

6

PHP resolves paths on the computer's file system.

Web browsers resolve paths on the URL.

Your HTTP server has http://my.server.address/ mapping to www/html on the file system.

So ../scripts/script.js goes up one level from / … to / (because that is the top), then down to /scripts then down to /scripts/script.js.

The browser asks the HTTP server for /scripts/script.js and it maps that to the file system — www/html/scripts/script.js and returns a 404 because that file doesn't exist there.

The browser can only read data that the web server will send to it, and by keeping the scripts directory outside of the document root you haven't make it available via the web server.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • That is a very nice catch! It seems likely, and I'll +1 if OPs issue is resolved. – zfrisch Mar 28 '19 at 17:16
  • @zfrisch — It's the last paragraph of the question that clinches it. – Quentin Mar 28 '19 at 17:17
  • That was quick! Any ideas how to prevent people from reading js files? my.server.address/script.js will show the script itself – prkmk Mar 28 '19 at 17:21
  • 3
    You can't prevent people from reading your js file. And you don't want to. You're trying to include the js file on the page. You literally want people to read it – Taplar Mar 28 '19 at 17:21
  • You cannot make a distinction between "a web browser that you want to execute some client-side code" and "the user who has complete control over that web browser". – Quentin Mar 28 '19 at 17:23
  • Quentin: Right! Unfortunately often times something like this happens to be straight-up user error and It's easy to become comfortable thinking that way after a few dozen instances :) @Lare as an aside, you can minify or obfuscate your code, but there's no way to hide it outright from users. – zfrisch Mar 28 '19 at 17:26
  • Thanks guys for clarifying the basics! – prkmk Mar 28 '19 at 17:31
  • @LareLarsson [How do I hide javascript code in a webpage?](https://stackoverflow.com/questions/6869312/how-do-i-hide-javascript-code-in-a-webpage) By the way, why is this the *third* topic about hiding JavaScript today? – VLAZ Mar 28 '19 at 17:31
  • @VLAZ I may have multiple accounts. Thanks for the advice anyway! – prkmk Mar 28 '19 at 18:06
1

Change

<script src="../scripts/script.js"></script>

to

<script src="/scripts/script.js"></script>

And your folder structure should be:

www/html/index.php
www/html/scripts/script.js
www/html/php/page.php
  • There is no need to change the directory structure. – VLAZ Mar 28 '19 at 17:19
  • @VLAZ I wanted to clarify that `script.js` should be `www/html/scripts/script.js` so that client can read it. –  Mar 28 '19 at 17:22
  • @VLAZ — All else being equal, the directory structure does need to change. – Quentin Mar 28 '19 at 17:22
  • Given that the server maps the root to www/html, I would agree that all the public resources should probably be nested under it. Personal opinion though – Taplar Mar 28 '19 at 17:23