Entry Script Setup

While going through the guide, I stumbled upon this tip:

Yii does not need to be installed under a Web-accessible directory. A Yii application has one entry script which is usually the only file that needs to be exposed to Web users. Other PHP scripts, including those from Yii, should be protected from Web access; otherwise they might be exploited by hackers.

From my interpretation, this means that besides the entry script php file, all other files would not have to necessarily be in the wwwroot folder? If this is the case, can somebody please provide me with a quick step-by-step guide on how to set that up? So for example, let’s say currently I have:


     [indent][indent]framework/ <--default yii framework folder[/indent][/indent]

     [indent][indent]mysite/ <--my website folder[/indent][/indent]

         [indent][indent][indent]index.php <--yii entry script[/indent][/indent][/indent]

         [indent][indent][indent]css/, images/, protected/, ...[/indent][/indent][/indent]

What steps would I need to take so that I can end up with something like this:


[indent][indent]index.php <–yii entry script[/indent][/indent]


[indent][indent]framework/ <–default yii framework folder[/indent][/indent]

[indent][indent]mysite/ <–my website folder[/indent][/indent]

As I mentioned before, this is how I am interpreting the Yii Tip that was mentioned in the guide. Please correct me if I’m wrong in my understanding. You can see the tip here: http://www.yiiframework.com/doc/guide/1.1/en/quickstart.installation

Thanks in advance!

Put you whole project under


     index.php &lt;--yii entry script





  framework/ &lt;--default yii framework folder

Edit the index.php of your project and change the first line.


// change the following paths if necessary



I see, so when they say “A Yii application has one entry script which is usually the only file that needs to be exposed to Web users”, it doesn’t mean that you can have just the index.php entry script in the /var/www/html/ folder?

Also, what are typical/recommended places to put the Yii framework folder in? Is it common to do as I recommend and just place it in the /var/www/ folder, or is there another typical location?





in index.php point to framework location:

$yii = APP_ROOT . ‘/framework/yii.php’;

and to config (this also point to application directory):

$config = APP_ROOT . ‘/protected/config/main.php’;

configure wwwroot as app_root/www/

is this what you asked for?

What I did on my site is site is to create a setup like this (where www is the publically accessible web root):


.. site

.... framework_118/    // The framework folder for Yii 1.1.8

.... protected/

.... uploads/

.. www

.... themes/

...... mytheme

........ assets

.......... css/

.......... js/

.......... images/

........ views/        // Protected with 'deny from all' .htaccess file

.... index.php

Time constraints prior to the initial launch of my site left me without time to check if the themes/view folder could also be seperated, but for now it works. Because the protected folder contains such sensitive data (your config file for example), it is best to move that to a spot that is not accessible through a browser.

In your index.php, you can change the $yii and $config variables. In the above example they would be:

$yii = dirname(__FILE__).'/../site/framework_118/yii.php';

$config = dirname(__FILE__).'/../site/protected/config/main.php'

Btw: I used the version number in the framework to easily update my site. The next update to my site will incorporate Yii 1.1.9, so I can simply upload that to site/framework_119, update index.php and remove 1.1.8.

Yeah, basically I was just curious if there was any way to just have the yii entry script (index.php) file in the /var/www/html/ directory, while all other files and folders would be in another non-accessible directory, because that was what I thought the Yii Tip was suggesting to do for security purposes.

You have to place index.php, assets and all client downloadable content (js, css, img) in web root. Framework itself and protected folder can be safely taken out of web root.