Posted by Rik Wasmus on 01/09/08 05:24

On Wed, 09 Jan 2008 06:03:36 +0100, <phpnoob@tragic.pointyhats.com> wrote:

> I have a php script that processes a form and then posts the user
> input to a data file on the server in a comma delimited format. For
> simplicity call the file "data.csv." The script is working well and
> the data is posted correctly to the data file.
>
> The big problem is that anyone can point their web browser to
> www.mywebsite.com/data/data.csv and see exactly what is contained in
> the data file. Obviously, I want the data in that file to be hidden
> to everyone in the world but me. I have to give sufficient
> permissions to the php script to save the user data from the form to
> data.csv, but I don't want the world to be able to see the data in
> that file.
>
> I have read and read some more with no luck. I do not run my own
> server and am just using a hosting site. I have been working with the
> file permissions, but every time I restrict access to data.csv the
> script fails to write to the file because the permissions are
> incorrect. Very frustrating.

File permissions will probably do you little good: the server has to be
able to write (and read?) it, so it will be able to read & serve it to
users.

Solutions, in order of desirability:
1. Store the file _outside_ the document root, just get it by FTP or SSH
yourself.
2. Restrict acces to an entire directory using an .htaccess file (either
full (use FTP/SSH), HTTP authenticated, or on your IP) put the file in
there.
3. Add some php code at the start: <?php exit(); ?>, and name in *.php,
again get it by FTP/SSH.
--
Rik Wasmus

[Back to original message]