Posted by Gordon on 01/09/08 14:09

On Jan 9, 5:03 am, phpn...@tragic.pointyhats.com wrote:
> I have a php script that processes a form and then posts the user
> input to a data file on the server in a comma delimited format. For
> simplicity call the file "data.csv." The script is working well and
> the data is posted correctly to the data file.
>
> The big problem is that anyone can point their web browser towww.mywebsite.com/data/data.csvand see exactly what is contained in
> the data file. Obviously, I want the data in that file to be hidden
> to everyone in the world but me. I have to give sufficient
> permissions to the php script to save the user data from the form to
> data.csv, but I don't want the world to be able to see the data in
> that file.
>
> I have read and read some more with no luck. I do not run my own
> server and am just using a hosting site. I have been working with the
> file permissions, but every time I restrict access to data.csv the
> script fails to write to the file because the permissions are
> incorrect. Very frustrating.
>
> Thanks for any help.

If it is possible to do so then store the file in a directory that
isn't visible to the web. For example, if when you look into the web
server's FTP site and your home directory contains a public_html
directory or similar from which web pages are served, save the file to
the level above the public_html directory.

If everything on your web server's machine is web accessible then
create a directory for your file to go in and protect it with
a .htaccess file that is set to deny from all.

If at all possible go for the first option as it is 100% foolproof,
whereas the latter might fail if a misconfiguration of the web server
occurs (like the host installs a new version of apache and forgets to
enable support for .htaccess files when they start it).

[Back to original message]