I'd like to reinstall the cart below my www root... So that all of the functions aren't servable. The docs say "You can also install it within a folder below your web root." But after that the config file just seems like it's set up for installing the whole cart above the web root. Is there any documentation I can be pointed towards that describes the edits I'll need to look out for when installing the functions in a place where they can't be (possibly) world readable.?

I ask this because I look through the files and see this:

file: import_db.php line 28:
$site_isp_root/squirrelcart.sql

and then this:

file: cart.php line 120
$site_isp_root/squirrelcart/import_db.php

And config.php tells me to make $site_isp_root the place where my store.php file is.

So, I can't change $site_isp_root to like "usr/local/below_web_where_I_want_to_put_squirrelcart_folder" without screwing up everything.

I'll look for every time $site_isp_root is summoned, and then change stuff like
$site_isp_root/squirrelcart/import_db.php

to

$site_isp_root/../squirrelcart/import_db.php

is that the recommended way?
:snowman:

Also,
file: cart.php line 61
$cart_www_root...

what are we dealing with there? If I place squirrelcart underneath the web root, am I changing that as well to where store.php is, where squirrelcart would be if I installed it above the web root, or is that supposed to link to the squirrelcart folder underneath web root?

Thanks in advance.
mike

Hi again... does that mean I answered my own question?

Hi Mike,

I think you are referring to "below" web root a bit different then I'm used to. Just to be sure that we are talking about the same thing, here is an example:

Example of web root:
/home/public_html/

Example of folder inside or "below" web root:
/home/public_html/squirrelcart

Example of a folder "above" web root
/home/other_folder

Now, using that terminology, you should not attempt to put any squirrelcart files above your web root, with the exception of the new "sc_backup" folder.

Thanks,
Jamie

Thanks for the response. When the docs said below, I took that to mean above. OK, when I worked on my first shop in phpshop, we put all the includes above the public web folder, so they couldn't possibly be served.

If all of the includes and functions of squirrelcart are servable, isn't that potentially a security threat, in the sense that people could just serve up your functions via a browser with some GET variables, or in some other fashion that I can't think of? Or, for your company's sake, if all of your code is on all these websites, and the entire chunk of the code is world readable, wouldn't everyone be able to just pull it?

Good question. While it is always a good idea to put anything you don't won't world accessable above your web root, there is not a vulnerability in this case. Because all the files are PHP, if you try to access them in your browser, PHP parses them, so you never actually see the real source code. You can tell this by looking at your store.php file in an editor, and comparing that to what you see when you do a "view source" in your browser.

The potential is still there for someone to try to send a GET to a file, but we've put code in place to handle that type of thing.

Thanks,
Jamie

Thanks again for the response. OK, that makes me feel better, but I still kind of fear there are people that are smarter than me, and not as lazy who could figure out how to do it. The problem is that I worked with a guru who shunned this idea. That may have been because we were working with .inc files... but the fact that config.php is web-readable bugs me. Can I put an .htaccess password on the store folder and have it still function, just to have an extra layer of security?