[RESOLVED] Path to CSS file not working.

amy_damnit

I am having trouble with getting a CSS stylesheet to work in my HTML file.

HTML located here...
/Users/user1/Documents/DEV/+htdocs/VQS_2/0301_BaseTemplate.html

CSS located here...
/Users/user1/Documents/DEV/+includes/style.css

Suspect HTML coding...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title></title>
[COLOR="Red"]		<link rel="stylesheet" href="../../+includes/style.css"
				type="text/css" media="screen" />
[/COLOR]    </head>
    <body>

What am I doing wrong?

Amy

bradgrafelman

I'm going to guess that "htdocs" is the root of your website. That means that as far as a browser can see, the htdocs folder is the highest level it can go - you can't use "../" to move to its parent directory.

Otherwise, you could use "../" as many times as you'd like in order to gain access to the root of the server's hard drive - a very obvious security risk!

amy_damnit

bradgrafelman;10915260 wrote:
I'm going to guess that "htdocs" is the root of your website. That means that as far as a browser can see, the htdocs folder is the highest level it can go - you can't use "../" to move to its parent directory.

Otherwise, you could use "../" as many times as you'd like in order to gain access to the root of the server's hard drive - a very obvious security risk!

Ah ha, but you can do that in PHP.

And, ironically, to promote security. That is, my book said it is safer to keep all of your included files OUTSIDE of the Web Root Directory because people on the outside only have access to your Web Root Directory and not your entire hard-drive. (Well, technically speaking!)

I used this code with a php included file yesterday and it worked okay...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title></title>
    </head>
    <body>
        <?php
			// This script adds a blog entry to the database.

		// Address error-handling
		error_reporting(E_ALL & ~E_NOTICE);

[COLOR="Red"]			// Include database settings outside of web directory.
			require_once ('../../+includes/MysqlConnect.php');[/COLOR]

So I see what you are saying, but I also see what the author was saying. Seems like a conflict?! 😕

In the end, I was just trying to save my CSS stylesheet outside of the Web Root Directory just like my "MysqlConnect.php" file so that it is less accessible to the outside world.

Comments?

Amy

bradgrafelman

amy.damnit wrote:
I also see what the author was saying. Seems like a conflict?!

There's no conflict; in fact, you're witnessing the crux of the book's argument.

The browser can not access this file, whereas PHP can since it runs on the server. The two are on complete opposite ends of the spectrum.

EDIT: Also, there's no such thing as "less accessible" when it comes down to it; either a file is accessible or it isn't. Anything that's client-side - HTML, CSS, Javascript, etc. - must be visible by the outside world. Some people hate to hear that and try to use all these elegant (yet pointless) solutions to hide their code when in the end it's all defeated by a few mouse clicks in FireFox.

MySQL connection details, obviously, are not something that browsers need to see - that's why your book might've suggested placing these type of PHP files outside of the root of your website.

amy_damnit

bradgrafelman;10915266 wrote:
There's no conflict; in fact, you're witnessing the crux of the book's argument.

The browser can not access this file, whereas PHP can since it runs on the server. The two are on complete opposite ends of the spectrum.

"This file" must be my php file?

Not sure if I follow you there. All files for a website exist on the server.

The difference is in what your browser can interpret. A understands HTML, but does not understand PHP. So, your PHP server translates the PHP into HTML so the browser can understand it.

Regardless, all files - on a production site - would exist on a server.

I guess what you were meaning is that HTML cease to have relevance above the Web Root Directory (because apparently that is as high an HTML page can look upwards).

By contrast, the PHP server could - in theory - look anywhere on your server (or network) for a file, because it grabs it, interprets it, and then sends it off to the user.

That is a fair description, right?

EDIT: Also, there's no such thing as "less accessible" when it comes down to it; either a file is accessible or it isn't.

I meant that is is apparently harder to hack files outside of the Web Root Directory.

Anything that's client-side - HTML, CSS, Javascript, etc. - must be visible by the outside world. Some people hate to hear that and try to use all these elegant (yet pointless) solutions to hide their code when in the end it's all defeated by a few mouse clicks in FireFox.

Well, they can always see your HTML, but if you created a CSS style sheet dynamically using PHP, could they still see it? (Not that a CSS stylesheet is really top secret?!) 🙂

[quoteMySQL connection details, obviously, are not something that browsers need to see - that's why your book might've suggested placing these type of PHP files outside of the root of your website.[/QUOTE]

I agree.

Amy

bradgrafelman

amy.damnit wrote:
"This file" must be my php file?

I was referring to any file you place outside of the "htdocs" folder.

amy.damnit wrote:
The difference is in what your browser can interpret. A understands HTML, but does not understand PHP. So, your PHP server translates the PHP into HTML so the browser can understand it.

Er.. well yeah, I guess that's true. Just to be clear, though, the browser never sees the PHP code - the Apache server calls the PHP interpreter, which loads the PHP file, parses it, and then passes over any output on to Apache which then gets sent to your browser. Most often, yes, you're producing HTML which the browser receives and renders.

amy.damnit wrote:
I guess what you were meaning is that HTML cease to have relevance above the Web Root Directory (because apparently that is as high an HTML page can look upwards).

Well, HTML is just a language; it's your browser that has to do the work. When the browser renders the page and sees CSS files to load, it makes separate requests to your webserver to download those files as well. Since the root of your website (e.g. the "/" in "mysite.com/") points to the htdocs folder, it doesn't make sense to pass a path that goes above this directory on to the browser.

amy.damnit wrote:
By contrast, the PHP server could - in theory - look anywhere on your server (or network) for a file, because it grabs it, interprets it, and then sends it off to the user.

There isn't a "PHP server" - PHP is just a programming language. If you meant webserver, then yes, the PHP interpreter can access the local filesystem on the server without going through Apache, so "/" to the process executing the PHP code actually means the root of the server's hard drive.

amy.damnit wrote:
I meant that is is apparently harder to hack files outside of the Web Root Directory.

That's true; to do so, a hacker would either have to a) have knowledge about a security hole in an application on your site (e.g. content.php?id=news is a script that uses the 'id' to load "news.inc" but without proper precautions could be called as content.php?id=../../secret_dir/mysql_info.php to access files you didn't intend to), or b) compromise the server itself to gain access to the local filesystem (which might happen with some shared hosts).

amy.damnit wrote:
Well, they can always see your HTML, but if you created a CSS style sheet dynamically using PHP, could they still see it?

Yes, since CSS is content that you have to pass to the browser in order for it to be useful. Anything you send to the browser, be it HTML, Javascript, CSS, images, etc. can be scraped, copied, whatever you'd like to call it. As far as dynamic CSS goes, it's no different than if you'd make it a static file - it's just CSS data outputted by your websever when a client's browser requests it. In FireFox (with the WebDeveloper toolbar), it's as easy as pressing Ctrl+Shift+C on your keyboard.

amy_damnit

bradgrafelman;10915275 wrote:
Er.. well yeah, I guess that's true. Just to be clear, though, the browser never sees the PHP code - the Apache server calls the PHP interpreter, which loads the PHP file, parses it, and then passes over any output on to Apache which then gets sent to your browser. Most often, yes, you're producing HTML which the browser receives and renders.

Exactly.

Well, HTML is just a language; it's your browser that has to do the work. When the browser renders the page and sees CSS files to load, it makes separate requests to your webserver to download those files as well. Since the root of your website (e.g. the "/" in "mysite.com/") points to the htdocs folder, it doesn't make sense to pass a path that goes above this directory on to the browser.

But doesn't CSS get converted into HTML just like a lot of PHP gets translated into HTML? (I haven't really learned CSS yet, but I thought the CSS formatting classes where converted to pure HTML to handle the formatting?)

There isn't a "PHP server" - PHP is just a programming language. If you meant webserver, then yes, the PHP interpreter can access the local filesystem on the server without going through Apache, so "/" to the process executing the PHP code actually means the root of the server's hard drive.

Well, I use the term "server" loosely. When I said "PHP server" I was implying the "PHP Interpreter" because after it interprets PHP it does "serve" it out to Apache, right?

People talk about the Oracle "server", a J2EE "server", a .NET "server" so I use the term "server" more than "interpreter" since at a more abstract level they communicate the same thing, and from my experience that is how a lot of people use the terms too. Although to be a purist, "PHP Interpreter" is more on spot. 🙂

Yes, since CSS is content that you have to pass to the browser in order for it to be useful. Anything you send to the browser, be it HTML, Javascript, CSS, images, etc. can be scraped, copied, whatever you'd like to call it. As far as dynamic CSS goes, it's no different than if you'd make it a static file - it's just CSS data outputted by your websever when a client's browser requests it. In FireFox (with the WebDeveloper toolbar), it's as easy as pressing Ctrl+Shift+C on your keyboard.

Again, from my lack of CSS knowledge, I thought that CSS was converted to HTML just like a JSP or PHP page is converted to HTML. IF that assumption was correct, then it seemed t me that "hiding" my CSS stylesheet outside of the Web Directory was a good idea.

Was I wrong?

Amy

bradgrafelman

amy.damnit wrote:
But doesn't CSS get converted into HTML just like a lot of PHP gets translated into HTML?

Nope; CSS is an entirely different language. Browsers just know how to parse it and link it with the elements it renders from the HTML.

amy.damnit wrote:
People talk about the Oracle "server"

Well that's because Oracle IS a server - it's a separate application (more like a daemon) that handles connections and serves up content. PHP is more like an "extension" of Apache, a special subroutine that handles certain requests that come into Apache (e.g. files that end in ".php").

Either way, I just wanted to clarify PHP's role a bit - there have been others that didn't quite understand the role of the webserver in all of this.

amy.damnit wrote:
Again, from my lack of CSS knowledge, I thought that CSS was converted to HTML just like a JSP or PHP page is converted to HTML.

As I said above, CSS is its own language - browsers know how to parse it separately from HTML and how it can change the rendering of HTML elements.

Also note that there is no "conversion" of a JSP or PHP page into HTML - the PHP code can do whatever it wants. It can output binary data, images, XML, HTML, or even some proprietary format that a custom developed client-side application understands. It can even output data in format that another web service (e.g. PayPal) can understand and process.

amy.damnit wrote:
IF that assumption was correct, then it seemed t me that "hiding" my CSS stylesheet outside of the Web Directory was a good idea.

I don't see how you drew that conclusion; as I said before, if you want the CSS stylesheet to actually do anything, then you have to supply it to the browse whenever it requests it (e.g. when it parses a <link> tag and sees a link to the stylesheet). Since the browser can't download it unless it's within your website's root folder, I don't see how "hiding" it outside of this folder would do you any good - you might as well not have it at all.

amy_damnit

bradgrafelman;10915328 wrote:
Nope; CSS is an entirely different language. Browsers just know how to parse it and link it with the elements it renders from the HTML.

Okay, my bad.

Well that's because Oracle IS a server - it's a separate application (more like a daemon) that handles connections and serves up content. PHP is more like an "extension" of Apache, a special subroutine that handles certain requests that come into Apache (e.g. files that end in ".php").

Either way, I just wanted to clarify PHP's role a bit - there have been others that didn't quite understand the role of the webserver in all of this.

Yah, I understand what Apache does. I guess I was just being sloppy with my terminology. Hopefully you see the context of how I was using "PHP Server"? (I guess I still see the PHP Interpreter as "serving" up the HTML which is then "served" up by Apache to the Browser. But that is just semantics!)

As I said above, CSS is its own language - browsers know how to parse it separately from HTML and how it can change the rendering of HTML elements.

Okay.

Also note that there is no "conversion" of a JSP or PHP page into HTML - the PHP code can do whatever it wants. It can output binary data, images, XML, HTML, or even some proprietary format that a custom developed client-side application understands. It can even output data in format that another web service (e.g. PayPal) can understand and process.

Well, I meant "conversion" as in dynamically setting the HTML and content like this...

				// Run query.
				if ($result = mysql_query($query)) {
					// Retrieve and print every record.
					while ($row = mysql_fetch_array($result)) {
						print "<p><h3>{$row['title']}</h3>
								{$row['entry']}<br />
								<a href=\"1208_EditEntry.php?
								id={$row['blog_id']}\">Edit</a>
								<a href=\"1207_DeleteEntry.php?
								id={$row['blog_id']}\">Delete</a>
								</p><hr />\n";
					}

or this...

				// Make day pull-down menu.
				print '<select name="day">';
				for ($day=1; $day<=31; $day++) {
					print "\n<option value=\"$day\">$day</option>";
				}
				print '</select>';

I don't see how you drew that conclusion; as I said before, if you want the CSS stylesheet to actually do anything, then you have to supply it to the browse whenever it requests it (e.g. when it parses a <link> tag and sees a link to the stylesheet). Since the browser can't download it unless it's within your website's root folder, I don't see how "hiding" it outside of this folder would do you any good - you might as well not have it at all.

Well, like I said, I don't know CSS very well. I thought you could use PHP to create a CSS stylesheet that would then dynamically set the HTML. For example, above the PHP is dynamically setting the HTML and its contents. PHP creates the drop-down box values on the fly.

And, you could - in theory - have PHP code that dynamically changed HTML tags depending on some condition. Maybe if $AmountDue is more than 30 days late then you would use PHP to change the HTML tags to make the text red?

I thought maybe the PHP could read the CSS file and then "build" the HTML bsed on what it read without letting a user see what the CSS originally was.

If you had this code...

<?php

if $DaysLate > 30 {
   print "<p><b><font color=/"#FF0000/">You payment is $DaysLate days late!!  Pay up or else!!</font></b>"

} else {
   print "<p>You payment is $DaysLate days late, but no worries."

};

That is a crude analogy from me - a mere newbie to PHP - but hopefully you follow my line of thinking?! :o

Amy

bradgrafelman

Theoretically, instead of using classes in CSS, you could paste the contents of the CSS class into a "style" tag of every HTML element in the document. Not only would that get tedious and incredibly LENGTY, but you'd lose every aspect of why CSS stylesheets are used. You can output the same HTML, and simply switch CSS stylesheets to give your site an entirely new look, color scheme, etc.

Also, PHP doesn't know what a drop-down box is, let alone how to style one. You can, however, do like you showed; use PHP to output in-line styling based on given conditions. Normally, however, you'd use PHP to output different class names for an element and let the CSS document handle all of the actual styling (oh, and get rid of that horrible <font> tag! :p).

Long story short, yes, you can use PHP to style the HTML you output, but that would lose all of the benefit of CSS and make for some very sloppy HTML.

amy_damnit

Okay, I got it.

It was just an idea.

Thanks for the explanation.

Amy