|
Posted by Erwin Moller on 10/03/05 12:32
raykyoto@gmail.com wrote:
> Hi all,
>
> I'm sure this is a popular question that comes up every few months
> here. Indeed, I've looked at some of the past postings, but I would
> like to ask things differently.
>
> Basically, I'm using a flat file to storing data. I have to do this
> because mySQL is not installed on my web server, and I am not the root
> user. The amount of data is so small, that it isn't worth a full-blown
> database anyway. However, while the data is nothing valuable
> (generally e-mail addresses), I would like to make it as secure as
> possible. Both from robots and from other users.
>
> I found this useful posting in comp.lang.php (some parts cut) dating
> from 2002:
>
> -----
> 1. Put the file containing userdata _outside_ your webdirectory.
>
> or
>
> 2. Use a robots.txt to tell robots to not read the data.
> Save the file to root on your web as robots.txt, and (as an example)
> with
> the following content:
>
> User-Agent: *
> Disallow: /directory_containing_a_lot_of_email_adresses_and
> _other_juicy_user_stuff
>
> or
>
> 3. Wrap the data in an auth of some sort (may be difficult if you use
> that
> data for the auth....;-)
> -----
>
> I can do #1 and I was wondering if that is sufficient.
No, the only advantage working outside webroot is that a simple request to
the right place will not be answered by the webserver.
But you can also do so by other means.
As the non-root
> user, I guess I cannot do #2...
Yes you can.
you can place a robots.txt file just as you can place any other text file.
Can I also move the php scripts that
> write the flat files outside my web directory? Or is that not
> necessary?
Yes, can be done.
Pay attention to permissions however. :-)
If you do not, you can end up with files that are readable to the world,
that is 'everybody' who has access to your system.
When using shared hosting, that is everybody else on the same system.
>
> Also, as the host is a Unix machine, what permissions are suggested for
> the following? Of course, I only want the web server and me to be able
> to read and write to them. I'm thought about the permissions and have
> inserted them below.
>
> 1) directory of the php scripts that writes the flat files
> -rwx---r-x
>
> 2) the php scripts that writes the flat files
> -rwx---r-x
>
> 3) the directory of the flat files
> -rwx---rwx
>
> 4) the flat files themselves
> -rwx---rw-
>
> Is this possible? Can I do better?
Yes you can.
Suppose I am on the same machine:
- I can see directory 3)
- I can browse the content of directory 3)
- I can read/modify file in directory 3)
>
> I'm also new to php... I've hard-coded the paths to the flat files
> inside my php files, as one must, I guess. Is there a way for people
> to see the source of the php files so that they can extract the hard
> coded paths?
Sometimes.
Your php scripts have permission -rwx---r-x, so if I am on the same machine,
I can possible read your PHP files.
Some time ago I discussed a similar problem with macbri.
Here is a link:
http://groups.google.nl/group/comp.lang.php/browse_thread/thread/c8751c8082573e64/35398dedf888542a?lnk=st&q=erwin+moller++permission+directory&rnum=2&hl=nl#35398dedf888542a
Maybe that helps setting up something a lot more secure.
It involves denying directorylistings combined with a very long strange name
for a directory.
I hope it helps.
Good luck.
Regards,
Erwin Moller
>
> Thank you!
>
> Ray
[Back to original message]
|