I have a file sort of like this, it's a user database (udb.htm):
user1:pwd1
user2:pwd2
user3:pwd3
something along the lines of that. I would like to secure this file and make it available for PHP via the file_get_contents("udb.htm"); method, but not a browser window. Thanks!
you can:
upload the file in a directory outside the public html directory, but that php has access
block the access to the file using apache .htaccess <Files> or similar
use HTTP Basic Authentication
save your data in an actual database (mysql, mssql, oracle, sqlite)
Put the file outside of the web root. For instance, in the directory that contains public_html. PHP can access it (and any other file on the system), but you can't get to it from the web.
Move the file into a folder still accesible to PHP but not web clients.
What you want to do is put the database below the web path. So for example, if your website is at www.example.com and it points to: /var/www/html
Then you can put your password file into /var/www/password/udb.htm
Then access it from your php script as file_get_contents("../../password/udb.htm")
Your script can access the file, but your web service will not.
This changes the permissions of your file before open, and remove grants when you close the file, be sure about webserver permissions over the file.
<?php
$file = 'udb.htm';
chmod($file, 0600);
$contents = file_get_contents($file);
chmod($file, 0000);
?>
Related
I have a server that contains a simple php file for downloading images and a folder containing those images.
<?php
$filepath = "myFiles/" . $_POST["file"];
if (file_exists($filepath)) {
$file = fopen($filepath,"r") or die();
echo fread($file,filesize($filepath));
fclose($file);
}
?>
This download.php file as well as the myFiles folder are both located in the www/html/ folder.
I am trying to figure out a way to make it so that my PHP script can access my image files, while keeping the files locked away from regular visitors. My problem is that if I set permissions that the files can't be viewed through the browser, then the PHP script can't access them either. So either both have access or neither does.
Am I on the correct track? How could I make it so that I can download my images using a PHP script while keeping the images otherwise inaccessible?
That won't be something you can handle using the linux file system permissions. You can put back the linux permissions to what they were initially for the files.
Instead, if you have a /home folder, I would recommend putting the original files to hide there. Check with your webhost if you have one.
Otherwise, if you have to put everything in www absolutely, then put the files to hide in a new subfolder, e.g. "hidden-files", and in that folder put a .htaccess file inside to block direct browser access to the files. The .htaccess file can be a one-line file with Deny From All command inside.
This way your files will only be able to be proxied through download.php.
I am using file_put_contents() function to write the files on server. I have split the file on client side and send chunks on server. using file_put_contents I am writing that content on server side file.
So I worry, is that a secure way to do it?
Since you want to allow files to be written securely.
Make a location outside server root directory.
Something like:
root dir = /htdocs/html/
Data dir = /htdocs/data/
That way the web server does not have direct access to the files.
I'm using the code in Tom's response here. However I have a script that automatically generates .html files into my public_html folder. These files are then loaded by my .php file, which looks something like this:
<?php
require('./access.php');
include('./secret_information.html');
?>
However the "secret_information.html" file is viewable by anyone without the password. I am running an Apache web server. As I understand, all html code / images to be used on a website need to be in the public_html folder. So how can I hide this information? Do I need to setup my automated scripts to generate .php files rather than .html or is there another solution?
include can access any file, as long as it is accessible by the web server.
So you can put secret_information.html anywhere in the file system, preferably outside of the document root or public_html.
If you must keep the file inside your publicly accessible web for some reason, you may use Apache's Authentication and Authorization facility.
I want to store the password of my database to a file not into the webroot as directed by many repliers to relevant answers here.
I want to read the file from the dir "~/".
How to do that?
I've tried $file_content = file_get_contents("~/pass", true); but when I echo $file_content it prints nothing.
If you're uploading to an FTP server, use something like FileZilla and you should see your document root.
For me, it's /home/myusername/public_html.
If you had a file in myfolder above the web root, assume it will be /home/myusername/myfolder/file.
Then do file_get_contents(thingimentionedabove);.
Although I would recommend putting your document within the web root and granting / disallowing access via permissions in a .htaccess file.
The classical way to do that would be a config.php in a web app subdirectory, setting database access variables like $password. As security is concerned, "config" is too obvious.
Also all php scripts that deliver files should be programmed restrictively.
I'm having a bit of trouble trying to access the content of .txt files on a remote server that are in an .htaccess protected directory.
What I am trying to do is the following:
Connect to the FTP server via PHP and use ftp_nlist to retrieve a list of all the .txt files in a directory. Up to here, everything works fine.
For each .txt file found, I want to retrieve the contents. There are a number of ways to do this normally which all work fine when there is no .htaccess file protecting the .txt files.
BUT! As soon as I protect the online directory with the .htaccess file, every single method I have tried fails to get the contents of the .txt files. The .htaccess file that is protecting the folder that contains the .txt files has the following (and nothing else):
<Files *.txt>
Order Deny,Allow
Deny from All
</Files>
Obviously, the online PHP website itself can access the contents of the .txt files without any problems, and the .htaccess file itself is doing it's job perfectly (denying direct access to any of the files), but when I'm trying to access the .txt files remotely from my WAMP server, I just can't find a way to bypass the .htaccess protection.
Basically, I want to imitate remotely, from my WAMP server, what my website already does itself locally by using $contents = file($filepath). Surely there must be a way... Can anyone point me in the right direction? Should I be using a different method of protecting the .txt files, or should I be using a specific PHP function to access the contents?
Your question isn't clear.
If you protect a folder or a file with .htaccess you will be still able to download that file with FTP. .htaccess affects only Apache (http requests).
If you want to be able to download those file anyway with http, then you just do a script that outputs its content:
downloader.php:
//> Check if the admin is logged, and check if $_GET['filename'] is allowed
readfile($_GET['filename']);
Then you can request your file with:
http://yoursite/downloader.php?filename=file.txt
Of course be sure to protect the access of this downloader.php