Safe Password - No MySQL ?

**waltonics** · 11-17-2004, 12:59 AM

I should add here I meant 'reasonably safe', its only for a news script that could be replaced in a second if anyone actually did err, 'hack it'..

**james** · 11-17-2004, 04:10 AM

I'm pretty sure that I read somewhere that if you enable only execute permissions (not read or write permissions) on a directory (in this case a directory inside www), you could store your xml files in here.

eg site.com/newsfiles/
I think if you chmod this folder to:

drwxr-x--x (if my maths is correct, this is equal to 751)

Then the directory should be browsable via a browser, but you can still access the files in the director if you know the name of it.

Keep in mind that I havent' actually tested this, so it may or may not work.

Good luck!

**james** · 11-17-2004, 04:14 AM

By the way, I just tested this out on my linux box and it works.

chmod the folder to 751, put the xml file(s) in there, then access the xml file via your php script.

James

**waltonics** · 11-17-2004, 05:54 PM

Thanks for that James, its half the problem!

But I guess the same thing can apply to my password file right? Ill have to play around. thanks! It doesnt have to be that safe like I said, and, If php can 'read' a file with only execute permissions. Surely thats pretty close... (I hope)

**Jonathan** · 11-17-2004, 08:22 PM

Try to chmod the file to 700; that'd be read, write, execute
permissions for just the owner.

If I remember right, anybody trying to browse the file will
see a "Forbidden" page. Another tip is to place it outside of
the public_html folder and use the absolute server path to access it.

I.e., include would be /home/user/script.ext
instead of /home/user/public_html/script.ext

**james** · 11-18-2004, 05:15 AM

Originally posted by Jonathan

Another tip is to place it outside of
the public_html folder and use the absolute server path to access it.

I.e., include would be /home/user/script.ext
instead of /home/user/public_html/script.ext

Jonathan: He said that he doesn't have access outside of his www HTML directory.

waltonics: you don't need to chmod the files - only the directory. Well in my test i didn't anyway.

**Pedja** · 11-18-2004, 10:27 AM

Protecting files to be accessed by web visitors of any kind is not hard task. Even .htaccess password would do the job. Problem is protecting files to be viewed by other users on the same sharing host.

Setting file permissions to 700 even 770 should do the job. If files are XML then exec flag could be turned of too.

You should check, when you create file from PHP script who is the owner.
That will tell you who can see it. We can you tell much, because things are different from server to server. Usually, web visitors access files as user nobody and php script on server access them under user account for that site. Often, that is not the case, so you should check for specific server.

**waltonics** · 11-18-2004, 06:18 PM

cool, thanks for lots of clarification there.

bah, I would hope those other kind folk sharing cp23 would have better things to do than try to hack a 'latest news' textfile!

having said that, it wasnt actually originally for dathorn, the problem was a horrific lack of access to anything on a friends space.. I think Im just going to move the whole site over here though at least for six months so the person can 'fully appreciate' what a limited host they have now.

Safe Password - No MySQL ?

Safe Password - No MySQL ?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment