Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

phpmyadmin fehler rechte unerlaubte mischung, WWWXXXApc, lilo trying to map files from unnamed device 0x0000", Wwwxxxapc, CAM::PDF::Renderer::TextF Fragen, adodb.recordset error '800a0cc1', php save mails as eml, WWWXXXAPC, sqlexpress database file auto-creation error, sqlexpress database file auto-creation error

Links

XODOX
Impressum
Datenschutz

#1: How can I restrict access to a data file?

Posted on 2008-01-09 06:03:36 by phpnoob

I have a php script that processes a form and then posts the user
input to a data file on the server in a comma delimited format. For
simplicity call the file "data.csv." The script is working well and
the data is posted correctly to the data file.

The big problem is that anyone can point their web browser to
www.mywebsite.com/data/data.csv and see exactly what is contained in
the data file. Obviously, I want the data in that file to be hidden
to everyone in the world but me. I have to give sufficient
permissions to the php script to save the user data from the form to
data.csv, but I don't want the world to be able to see the data in
that file.

I have read and read some more with no luck. I do not run my own
server and am just using a hosting site. I have been working with the
file permissions, but every time I restrict access to data.csv the
script fails to write to the file because the permissions are
incorrect. Very frustrating.

Thanks for any help.

Report this message

#2: Re: How can I restrict access to a data file?

Posted on 2008-01-09 06:24:48 by luiheidsgoeroe

On Wed, 09 Jan 2008 06:03:36 +0100, <phpnoob@tragic.pointyhats.com> wrote:

> I have a php script that processes a form and then posts the user
> input to a data file on the server in a comma delimited format. For
> simplicity call the file "data.csv." The script is working well and
> the data is posted correctly to the data file.
>
> The big problem is that anyone can point their web browser to
> www.mywebsite.com/data/data.csv and see exactly what is contained in
> the data file. Obviously, I want the data in that file to be hidden
> to everyone in the world but me. I have to give sufficient
> permissions to the php script to save the user data from the form to
> data.csv, but I don't want the world to be able to see the data in
> that file.
>
> I have read and read some more with no luck. I do not run my own
> server and am just using a hosting site. I have been working with the
> file permissions, but every time I restrict access to data.csv the
> script fails to write to the file because the permissions are
> incorrect. Very frustrating.

File permissions will probably do you little good: the server has to be
able to write (and read?) it, so it will be able to read & serve it to
users.

Solutions, in order of desirability:
1. Store the file _outside_ the document root, just get it by FTP or SSH
yourself.
2. Restrict acces to an entire directory using an .htaccess file (either
full (use FTP/SSH), HTTP authenticated, or on your IP) put the file in
there.
3. Add some php code at the start: <?php exit(); ?>, and name in *.php,
again get it by FTP/SSH.
--
Rik Wasmus

Report this message

#3: Re: How can I restrict access to a data file?

Posted on 2008-01-09 09:46:41 by Courtney

Rik Wasmus wrote:
> On Wed, 09 Jan 2008 06:03:36 +0100, <phpnoob@tragic.pointyhats.com> wrote:
>
>> I have a php script that processes a form and then posts the user
>> input to a data file on the server in a comma delimited format. For
>> simplicity call the file "data.csv." The script is working well and
>> the data is posted correctly to the data file.
>>
>> The big problem is that anyone can point their web browser to
>> www.mywebsite.com/data/data.csv and see exactly what is contained in
>> the data file. Obviously, I want the data in that file to be hidden
>> to everyone in the world but me. I have to give sufficient
>> permissions to the php script to save the user data from the form to
>> data.csv, but I don't want the world to be able to see the data in
>> that file.
>>
>> I have read and read some more with no luck. I do not run my own
>> server and am just using a hosting site. I have been working with the
>> file permissions, but every time I restrict access to data.csv the
>> script fails to write to the file because the permissions are
>> incorrect. Very frustrating.
>
> File permissions will probably do you little good: the server has to be
> able to write (and read?) it, so it will be able to read & serve it to
> users.
>
> Solutions, in order of desirability:
> 1. Store the file _outside_ the document root, just get it by FTP or SSH
> yourself.
> 2. Restrict acces to an entire directory using an .htaccess file (either
> full (use FTP/SSH), HTTP authenticated, or on your IP) put the file in
> there.
> 3. Add some php code at the start: <?php exit(); ?>, and name in *.php,
> again get it by FTP/SSH.

4. Store the file outside document root, or in a .htaccess protected
directory for which NO HTTP USER ACCESS EXISTS AT ALL and write a php
script that takes a get variable with and obscure reference to something
to pull it.

so i.e you might type URL:/get-my-file.php?file=data.csv:password=5786gjk

or some such.

I myself would go with method 2/. though. Enoiugh to deter casual
hackers, but not overly hard to set up name and password persistently in
your own browser.

Report this message

#4: Re: How can I restrict access to a data file?

Posted on 2008-01-09 14:04:43 by Jerry Stuckle

Rik Wasmus wrote:
> On Wed, 09 Jan 2008 06:03:36 +0100, <phpnoob@tragic.pointyhats.com> wrote:
>
>> I have a php script that processes a form and then posts the user
>> input to a data file on the server in a comma delimited format. For
>> simplicity call the file "data.csv." The script is working well and
>> the data is posted correctly to the data file.
>>
>> The big problem is that anyone can point their web browser to
>> www.mywebsite.com/data/data.csv and see exactly what is contained in
>> the data file. Obviously, I want the data in that file to be hidden
>> to everyone in the world but me. I have to give sufficient
>> permissions to the php script to save the user data from the form to
>> data.csv, but I don't want the world to be able to see the data in
>> that file.
>>
>> I have read and read some more with no luck. I do not run my own
>> server and am just using a hosting site. I have been working with the
>> file permissions, but every time I restrict access to data.csv the
>> script fails to write to the file because the permissions are
>> incorrect. Very frustrating.
>
> File permissions will probably do you little good: the server has to be
> able to write (and read?) it, so it will be able to read & serve it to
> users.
>
> Solutions, in order of desirability:
> 1. Store the file _outside_ the document root, just get it by FTP or SSH
> yourself.
> 2. Restrict acces to an entire directory using an .htaccess file (either
> full (use FTP/SSH), HTTP authenticated, or on your IP) put the file in
> there.
> 3. Add some php code at the start: <?php exit(); ?>, and name in *.php,
> again get it by FTP/SSH.

2a. Restrict access to the single file using .htaccess.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Report this message

#5: Re: How can I restrict access to a data file?

Posted on 2008-01-09 15:09:20 by gordon

On Jan 9, 5:03 am, phpn...@tragic.pointyhats.com wrote:
> I have a php script that processes a form and then posts the user
> input to a data file on the server in a comma delimited format. For
> simplicity call the file "data.csv." The script is working well and
> the data is posted correctly to the data file.
>
> The big problem is that anyone can point their web browser towww.mywebsite.com/data/data.csvand see exactly what is contained in
> the data file. Obviously, I want the data in that file to be hidden
> to everyone in the world but me. I have to give sufficient
> permissions to the php script to save the user data from the form to
> data.csv, but I don't want the world to be able to see the data in
> that file.
>
> I have read and read some more with no luck. I do not run my own
> server and am just using a hosting site. I have been working with the
> file permissions, but every time I restrict access to data.csv the
> script fails to write to the file because the permissions are
> incorrect. Very frustrating.
>
> Thanks for any help.

If it is possible to do so then store the file in a directory that
isn't visible to the web. For example, if when you look into the web
server's FTP site and your home directory contains a public_html
directory or similar from which web pages are served, save the file to
the level above the public_html directory.

If everything on your web server's machine is web accessible then
create a directory for your file to go in and protect it with
a .htaccess file that is set to deny from all.

If at all possible go for the first option as it is 100% foolproof,
whereas the latter might fail if a misconfiguration of the web server
occurs (like the host installs a new version of apache and forgets to
enable support for .htaccess files when they start it).

Report this message

#6: Re: How can I restrict access to a data file?

Posted on 2008-01-09 22:44:15 by phpnoob

On Jan 9, 9:09 am, Gordon <gordon.mc...@ntlworld.com> wrote:
> On Jan 9, 5:03 am, phpn...@tragic.pointyhats.com wrote:
>
>
>
> > I have a php script that processes a form and then posts the user
> > input to a data file on the server in a comma delimited format. For
> > simplicity call the file "data.csv." The script is working well and
> > the data is posted correctly to the data file.
>
> > The big problem is that anyone can point their web browser towww.mywebsite.com/data/data.csvandsee exactly what is contained in
> > the data file. Obviously, I want the data in that file to be hidden
> > to everyone in the world but me. I have to give sufficient
> > permissions to the php script to save the user data from the form to
> > data.csv, but I don't want the world to be able to see the data in
> > that file.
>
> > I have read and read some more with no luck. I do not run my own
> > server and am just using a hosting site. I have been working with the
> > file permissions, but every time I restrict access to data.csv the
> > script fails to write to the file because the permissions are
> > incorrect. Very frustrating.
>
> > Thanks for any help.
>
> If it is possible to do so then store the file in a directory that
> isn't visible to the web. For example, if when you look into the web
> server's FTP site and your home directory contains a public_html
> directory or similar from which web pages are served, save the file to
> the level above the public_html directory.
>
> If everything on your web server's machine is web accessible then
> create a directory for your file to go in and protect it with
> a .htaccess file that is set to deny from all.
>
> If at all possible go for the first option as it is 100% foolproof,
> whereas the latter might fail if a misconfiguration of the web server
> occurs (like the host installs a new version of apache and forgets to
> enable support for .htaccess files when they start it).

Thank you for the replies. Part of the problem is that the web server
has set my HTML directory to "/../domainname.com" instead of "/../
domainname.com/public_html." I have sent a trouble ticket asking that
the HTML directory be changed to /public_html so that I have access to
the parent directories while the "public" only has access to the /
public_html files. These replies led the way. I think I am better
equipped to deal with this. Thanks again.

Report this message