|
|
Posted by The Natural Philosopher on 01/09/08 08:46
Rik Wasmus wrote:
> On Wed, 09 Jan 2008 06:03:36 +0100, <phpnoob@tragic.pointyhats.com> wrote:
>
>> I have a php script that processes a form and then posts the user
>> input to a data file on the server in a comma delimited format. For
>> simplicity call the file "data.csv." The script is working well and
>> the data is posted correctly to the data file.
>>
>> The big problem is that anyone can point their web browser to
>> www.mywebsite.com/data/data.csv and see exactly what is contained in
>> the data file. Obviously, I want the data in that file to be hidden
>> to everyone in the world but me. I have to give sufficient
>> permissions to the php script to save the user data from the form to
>> data.csv, but I don't want the world to be able to see the data in
>> that file.
>>
>> I have read and read some more with no luck. I do not run my own
>> server and am just using a hosting site. I have been working with the
>> file permissions, but every time I restrict access to data.csv the
>> script fails to write to the file because the permissions are
>> incorrect. Very frustrating.
>
> File permissions will probably do you little good: the server has to be
> able to write (and read?) it, so it will be able to read & serve it to
> users.
>
> Solutions, in order of desirability:
> 1. Store the file _outside_ the document root, just get it by FTP or SSH
> yourself.
> 2. Restrict acces to an entire directory using an .htaccess file (either
> full (use FTP/SSH), HTTP authenticated, or on your IP) put the file in
> there.
> 3. Add some php code at the start: <?php exit(); ?>, and name in *.php,
> again get it by FTP/SSH.
4. Store the file outside document root, or in a .htaccess protected
directory for which NO HTTP USER ACCESS EXISTS AT ALL and write a php
script that takes a get variable with and obscure reference to something
to pull it.
so i.e you might type URL:/get-my-file.php?file=data.csv:password=5786gjk
or some such.
I myself would go with method 2/. though. Enoiugh to deter casual
hackers, but not overly hard to set up name and password persistently in
your own browser.
Navigation:
[Reply to this message]
|