Posted by Jerry Stuckle on 01/09/08 13:04

Rik Wasmus wrote:
> On Wed, 09 Jan 2008 06:03:36 +0100, <phpnoob@tragic.pointyhats.com> wrote:
>
>> I have a php script that processes a form and then posts the user
>> input to a data file on the server in a comma delimited format. For
>> simplicity call the file "data.csv." The script is working well and
>> the data is posted correctly to the data file.
>>
>> The big problem is that anyone can point their web browser to
>> www.mywebsite.com/data/data.csv and see exactly what is contained in
>> the data file. Obviously, I want the data in that file to be hidden
>> to everyone in the world but me. I have to give sufficient
>> permissions to the php script to save the user data from the form to
>> data.csv, but I don't want the world to be able to see the data in
>> that file.
>>
>> I have read and read some more with no luck. I do not run my own
>> server and am just using a hosting site. I have been working with the
>> file permissions, but every time I restrict access to data.csv the
>> script fails to write to the file because the permissions are
>> incorrect. Very frustrating.
>
> File permissions will probably do you little good: the server has to be
> able to write (and read?) it, so it will be able to read & serve it to
> users.
>
> Solutions, in order of desirability:
> 1. Store the file _outside_ the document root, just get it by FTP or SSH
> yourself.
> 2. Restrict acces to an entire directory using an .htaccess file (either
> full (use FTP/SSH), HTTP authenticated, or on your IP) put the file in
> there.
> 3. Add some php code at the start: <?php exit(); ?>, and name in *.php,
> again get it by FTP/SSH.

2a. Restrict access to the single file using .htaccess.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]