File Permissions

[iffy]

Head Bash

Basically, I want to allow my PHP pages to read/write some text files , but I don't want browsing people to be able to see the files. I've played with the file permissions on the text files, directories and PHP files. The only way the PHP pages can read/write the text files is if the world (other?) permissions are turned on... but this lets browsers see them too. The group permissions don't seem to do a thing (for the PHP or the browser)

 

Am I going to have to break down and learn mySQL or can some permission group be set up to allow this??

 

(..and just because I think this will look cool:)

Two Guns Kick Me

[Lianna]

iffy,

 

Are you still banging your head against the wall or have you found the resolution?

 

Maybe our PHP 'nut' can chime in on this one?

 

Bump.

[surefire]

Sometimes I feel like a nut... sometimes I don't.

 

Anyhow, here are my thoughts.

 

1- Mysql is not difficult, is more secure (MORE... not 100%)

2- Mysql should be faster with complex queries

3- TCH, in their infinite kindness and wisdom, gives all users great access to mysql at no additional charge... you don't know what a gift that is!

 

Ok. You wanted to know about flat files.

 

Although I'm pretty darn good with PHP... your question is really about security. I know enough, but it seems that others here know quite a bit more than I.

 

So here are some of my ideas. Please keep in mind that I use MySQL so I have either borrowed these ideas I'm giving you or I'm kinda making them up on the spot.

 

1- .htaccess to password protect the folder containing the flat file. PHP script can still read the script

2- name the flat file with .php extension

3- put a few lines of code that detects hacks and sends you an email with their IP, redirects the hacker

3- place the flat file in your root directory so it is a bit harder to find or access by the general public. In other words, don't put it in your public_html folder

4- place an index.htm (or.php) file in the folder that the flat file is in so that public won't get a directory listing of the files when the access the folder through http

5- name the flat file beginning with a period'h' like

.hatfile.php

I read at php.net in one of the user comments that this makes it invisible to those who don't know what they are looking for

 

Closing remarks: If security is vital (NSA secrets, location of Jimmy Hoffa, social security numbers of your friends and family, etc.) then don't put it on the web.

 

There are all sorts of security measures you can take... but if someone with the motive, skills, and time decides to crack your system regardless of what it takes... there's a good chance they'll succeed.

 

Luckily, most script kiddies go after easy targets and the ones with skill go after government databases and big corporations.

 

imho... mysql is many times safer and versatile than a flat file system.

 

Oh, one other thing. If you only need to write to the file on rare occasions, then you can change the chmod settings, write to the file, and change the settings back. PHP can read only the file if you are using file system for presenting existing data. Obviously, if you are looking to write data to the file whenever you please, then this would be tedious.

 

I hope some of these ideas help.

[TCH-Don]

Jack, just what I have been looking for!

Great ideas, I like #1, will have to try that first.

Thanks

[surefire]

Glad to help.

 

One thing I forgot to mention... those ideas aren't mutually exclusive... you can try combinations of some or all of them if you like.

 

 

Also, another point on security... and this goes for mysql as well.

 

Make sure that you test the user input. In other words, before you ask the php script to access the file or database, do some checking on the variables.

 

PHP has nifty functions to check

1- Is this variable a number?

2- Is this variable devoid of html code

3- Does this variable contain words like "Drop"

 

Also, be very very careful NOT to write a variable into your code to determine which file to get.

 

In other words, don't write something like

 

fopen($file_var.php);

 

Your script should explicitly name the file that is to be opened. Don't pass the file name in a variable.

[Lianna]

(Thanks, Jack!)

[iffy]

Thank you for the helpful info!

 

In the space of time before I was notified of posts, I set up mySQL on my local machine and love it -- I think I'm going to use it for most everything, but for when I do flat file stuff, I'll keep your suggestions in mind, surefire. I like that .htaccess trick.

 

Oh, and how exactly would you do number 3? (The first 3 in the second list )

3- put a few lines of code that detects hacks and sends you an email with their IP, redirects the hacker

I can check the IP and send an email, but how do I trigger it?