Secure a flat file using a .php extension

I need to store some sensitive data (user names and passwords) in a flat file. I don’t want to make any use of databases because this would defeat the whole purpose of the project. Of course, the passwords will be md5 encrypted in the file, but this wouldn’t be enough.

This neat little login system, Micro Login System, seems to have the basic stuff for me to start with but, as said it stores the user info in a text file.

The contents of userpwd.txt would have been:

admin:3089af3a625carf15ed2a1a93684413ffa
user1:75580656a394292460ebb4b036ebeaf1
user2:c67ac4665947cd23ff7d1d180b8e41d5

That’s user : md5( password ).

I was concerned about this because anyone who knew about the system could have entered address/userpwd.txt in the address box and gotten that info.

My solution

Php files are pretty secure right? They’re processed on the server before the client gets the output. How about giving the file a php extension instead of txt?

Of course this wouldn’t be enough, because the output would be exactly the same as the file’s contents. But now that it’s a php, we can write php code in it. What if the userpwd.php looked like this:

<?php die(); ?>
admin:3089af3a625carf15ed2a1a93684413f
user1:75580656a394292460ebb4b036ebeaf1
user2:c67ac4665947cd23ff7d1d180b8e41d5

The login system can be made to ignore the first line when doing its thing, because it runs server side and can read the contents of userpwd.php as it is on the server (like it was reading the txt version of the file), so there’s no problem here.

But if a client tries to open userpwd.php in his browser, the die(); function will be executed when the server processes the php code in the file and the script is terminated, thus outputing a blank page.

Optional stuff

The header(“HTTP/1.0 404 Not Found”), is an attempt to mislead anyone trying to type in the file name by sending the browser a 404 Page Not Found status. I even went as far as adding an error message as a parameter for the die function that looks like the default html for a 404 error in most browsers:

<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\"> <html><head> 
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
</body></html>

So our userpwd.php would look like this:

<?php header("HTTP/1.0 404 Not Found"); die("<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\"> <html><head> \n \n</head><body> \n<h1>Not Found</h1> \n<p>The requested URL was not found on this server.</p> \n</body></html>"); ?>
admin:3089af3a625carf15ed2a1a93684413f
user1:75580656a394292460ebb4b036ebeaf1
user2:c67ac4665947cd23ff7d1d180b8e41d5

And now, if anyone were to open the file in their browser, they’ll get a page with this source code:

<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\"> <html><head> 
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
</body></html>

Conclusions

The most secure .txt file is a .php file

So let’s take a look at it again…

If you don’t need/don’t want to use mySQL or any other database but have some sensitive data to store in a flat file:

  • give it a .php extension
  • it should have this text on the first line:
<?php die();  ?>

Optional: Or to fake it into looking like a 404 Not Found page, it should have this first line (instead of the above):

<?php header("HTTP/1.0 404 Not Found"); die("<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\"> <html><head> \n \n</head><body> \n<h1>Not Found</h1> \n<p>The requested URL was not found on this server.</p> \n</body></html>"); ?>

Think different?

Can you think of any reason for this not be secure?

Author of this post: Stefan Matei

Since 2007 Stefan Matei has been working as a freelance web designer and web developer. He describes his activity as "building WordPress websites that look good and feel right when you click or touch them." Interested in hiring Stefan for a project? Visit his portfolio at StefanMatei.com/portfolio
Sep 1, 2008     Posted under: archives