How can I restrict access to a data file?

How can I restrict access to a data file?

am 09.01.2008 06:03:36 von phpnoob

I have a php script that processes a form and then posts the user
input to a data file on the server in a comma delimited format. For
simplicity call the file "data.csv." The script is working well and
the data is posted correctly to the data file.

The big problem is that anyone can point their web browser to
www.mywebsite.com/data/data.csv and see exactly what is contained in
the data file. Obviously, I want the data in that file to be hidden
to everyone in the world but me. I have to give sufficient
permissions to the php script to save the user data from the form to
data.csv, but I don't want the world to be able to see the data in
that file.

I have read and read some more with no luck. I do not run my own
server and am just using a hosting site. I have been working with the
file permissions, but every time I restrict access to data.csv the
script fails to write to the file because the permissions are
incorrect. Very frustrating.

Thanks for any help.

Re: How can I restrict access to a data file?

am 09.01.2008 06:24:48 von luiheidsgoeroe

On Wed, 09 Jan 2008 06:03:36 +0100, wrote:

> I have a php script that processes a form and then posts the user
> input to a data file on the server in a comma delimited format. For
> simplicity call the file "data.csv." The script is working well and
> the data is posted correctly to the data file.
>
> The big problem is that anyone can point their web browser to
> www.mywebsite.com/data/data.csv and see exactly what is contained in
> the data file. Obviously, I want the data in that file to be hidden
> to everyone in the world but me. I have to give sufficient
> permissions to the php script to save the user data from the form to
> data.csv, but I don't want the world to be able to see the data in
> that file.
>
> I have read and read some more with no luck. I do not run my own
> server and am just using a hosting site. I have been working with the
> file permissions, but every time I restrict access to data.csv the
> script fails to write to the file because the permissions are
> incorrect. Very frustrating.

File permissions will probably do you little good: the server has to be
able to write (and read?) it, so it will be able to read & serve it to
users.

Solutions, in order of desirability:
1. Store the file _outside_ the document root, just get it by FTP or SSH
yourself.
2. Restrict acces to an entire directory using an .htaccess file (either
full (use FTP/SSH), HTTP authenticated, or on your IP) put the file in
there.
3. Add some php code at the start: , and name in *.php,
again get it by FTP/SSH.
--
Rik Wasmus

Re: How can I restrict access to a data file?

am 09.01.2008 09:46:41 von Courtney

Rik Wasmus wrote:
> On Wed, 09 Jan 2008 06:03:36 +0100, wrote:
>
>> I have a php script that processes a form and then posts the user
>> input to a data file on the server in a comma delimited format. For
>> simplicity call the file "data.csv." The script is working well and
>> the data is posted correctly to the data file.
>>
>> The big problem is that anyone can point their web browser to
>> www.mywebsite.com/data/data.csv and see exactly what is contained in
>> the data file. Obviously, I want the data in that file to be hidden
>> to everyone in the world but me. I have to give sufficient
>> permissions to the php script to save the user data from the form to
>> data.csv, but I don't want the world to be able to see the data in
>> that file.
>>
>> I have read and read some more with no luck. I do not run my own
>> server and am just using a hosting site. I have been working with the
>> file permissions, but every time I restrict access to data.csv the
>> script fails to write to the file because the permissions are
>> incorrect. Very frustrating.
>
> File permissions will probably do you little good: the server has to be
> able to write (and read?) it, so it will be able to read & serve it to
> users.
>
> Solutions, in order of desirability:
> 1. Store the file _outside_ the document root, just get it by FTP or SSH
> yourself.
> 2. Restrict acces to an entire directory using an .htaccess file (either
> full (use FTP/SSH), HTTP authenticated, or on your IP) put the file in
> there.
> 3. Add some php code at the start: , and name in *.php,
> again get it by FTP/SSH.

4. Store the file outside document root, or in a .htaccess protected
directory for which NO HTTP USER ACCESS EXISTS AT ALL and write a php
script that takes a get variable with and obscure reference to something
to pull it.

so i.e you might type URL:/get-my-file.php?file=data.csv:password=5786gjk

or some such.

I myself would go with method 2/. though. Enoiugh to deter casual
hackers, but not overly hard to set up name and password persistently in
your own browser.

Re: How can I restrict access to a data file?

am 09.01.2008 14:04:43 von Jerry Stuckle

Rik Wasmus wrote:
> On Wed, 09 Jan 2008 06:03:36 +0100, wrote:
>
>> I have a php script that processes a form and then posts the user
>> input to a data file on the server in a comma delimited format. For
>> simplicity call the file "data.csv." The script is working well and
>> the data is posted correctly to the data file.
>>
>> The big problem is that anyone can point their web browser to
>> www.mywebsite.com/data/data.csv and see exactly what is contained in
>> the data file. Obviously, I want the data in that file to be hidden
>> to everyone in the world but me. I have to give sufficient
>> permissions to the php script to save the user data from the form to
>> data.csv, but I don't want the world to be able to see the data in
>> that file.
>>
>> I have read and read some more with no luck. I do not run my own
>> server and am just using a hosting site. I have been working with the
>> file permissions, but every time I restrict access to data.csv the
>> script fails to write to the file because the permissions are
>> incorrect. Very frustrating.
>
> File permissions will probably do you little good: the server has to be
> able to write (and read?) it, so it will be able to read & serve it to
> users.
>
> Solutions, in order of desirability:
> 1. Store the file _outside_ the document root, just get it by FTP or SSH
> yourself.
> 2. Restrict acces to an entire directory using an .htaccess file (either
> full (use FTP/SSH), HTTP authenticated, or on your IP) put the file in
> there.
> 3. Add some php code at the start: , and name in *.php,
> again get it by FTP/SSH.

2a. Restrict access to the single file using .htaccess.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: How can I restrict access to a data file?

am 09.01.2008 15:09:20 von gordon

On Jan 9, 5:03 am, phpn...@tragic.pointyhats.com wrote:
> I have a php script that processes a form and then posts the user
> input to a data file on the server in a comma delimited format. For
> simplicity call the file "data.csv." The script is working well and
> the data is posted correctly to the data file.
>
> The big problem is that anyone can point their web browser towww.mywebsite.com/data/data.csvand see exactly what is contained in
> the data file. Obviously, I want the data in that file to be hidden
> to everyone in the world but me. I have to give sufficient
> permissions to the php script to save the user data from the form to
> data.csv, but I don't want the world to be able to see the data in
> that file.
>
> I have read and read some more with no luck. I do not run my own
> server and am just using a hosting site. I have been working with the
> file permissions, but every time I restrict access to data.csv the
> script fails to write to the file because the permissions are
> incorrect. Very frustrating.
>
> Thanks for any help.

If it is possible to do so then store the file in a directory that
isn't visible to the web. For example, if when you look into the web
server's FTP site and your home directory contains a public_html
directory or similar from which web pages are served, save the file to
the level above the public_html directory.

If everything on your web server's machine is web accessible then
create a directory for your file to go in and protect it with
a .htaccess file that is set to deny from all.

If at all possible go for the first option as it is 100% foolproof,
whereas the latter might fail if a misconfiguration of the web server
occurs (like the host installs a new version of apache and forgets to
enable support for .htaccess files when they start it).

Re: How can I restrict access to a data file?

am 09.01.2008 22:44:15 von phpnoob

On Jan 9, 9:09 am, Gordon wrote:
> On Jan 9, 5:03 am, phpn...@tragic.pointyhats.com wrote:
>
>
>
> > I have a php script that processes a form and then posts the user
> > input to a data file on the server in a comma delimited format. For
> > simplicity call the file "data.csv." The script is working well and
> > the data is posted correctly to the data file.
>
> > The big problem is that anyone can point their web browser towww.mywebsite.com/data/data.csvandsee exactly what is contained in
> > the data file. Obviously, I want the data in that file to be hidden
> > to everyone in the world but me. I have to give sufficient
> > permissions to the php script to save the user data from the form to
> > data.csv, but I don't want the world to be able to see the data in
> > that file.
>
> > I have read and read some more with no luck. I do not run my own
> > server and am just using a hosting site. I have been working with the
> > file permissions, but every time I restrict access to data.csv the
> > script fails to write to the file because the permissions are
> > incorrect. Very frustrating.
>
> > Thanks for any help.
>
> If it is possible to do so then store the file in a directory that
> isn't visible to the web. For example, if when you look into the web
> server's FTP site and your home directory contains a public_html
> directory or similar from which web pages are served, save the file to
> the level above the public_html directory.
>
> If everything on your web server's machine is web accessible then
> create a directory for your file to go in and protect it with
> a .htaccess file that is set to deny from all.
>
> If at all possible go for the first option as it is 100% foolproof,
> whereas the latter might fail if a misconfiguration of the web server
> occurs (like the host installs a new version of apache and forgets to
> enable support for .htaccess files when they start it).

Thank you for the replies. Part of the problem is that the web server
has set my HTML directory to "/../domainname.com" instead of "/../
domainname.com/public_html." I have sent a trouble ticket asking that
the HTML directory be changed to /public_html so that I have access to
the parent directories while the "public" only has access to the /
public_html files. These replies led the way. I think I am better
equipped to deal with this. Thanks again.