Comments on: Secure a Flat File Using a .php Extension http://www.vileworks.com/secure-a-flat-file-using-a-php-extension Web design & development work of Stefan Matei Mon, 15 Mar 2010 14:52:16 +0000 http://wordpress.org/?v=abc hourly 1 By: Stefan http://www.vileworks.com/secure-a-flat-file-using-a-php-extension/comment-page-1#comment-1227 Stefan Sun, 01 Mar 2009 07:19:49 +0000 http://www.vileworks.com/wordpress/?p=16#comment-1227 <p>@<a href="#comment-1220" rel="nofollow">PHPNewbie</a>: Indeed, you can use .htaccess to restrict the access to that file.</p> <p>Think of this as just another way of doing it, in case maybe httaccess doesn't suit you. I guess I was also thinking httaccess files can get a bit tricky for some users seeing how most web hosts hide them and FTP clients don't show hidden files (unless you change that in the settings), or how you can't create a new .htaccess file under Windows as you would any other normal file with a normal extension.</p> <p>The project I mentioned got postponed a bit, but it's almost complete... I've used it for live sites already and very soon it should polished enough to be downloaded and used by your average Joe. </p> @PHPNewbie: Indeed, you can use .htaccess to restrict the access to that file.

Think of this as just another way of doing it, in case maybe httaccess doesn’t suit you. I guess I was also thinking httaccess files can get a bit tricky for some users seeing how most web hosts hide them and FTP clients don’t show hidden files (unless you change that in the settings), or how you can’t create a new .htaccess file under Windows as you would any other normal file with a normal extension.

The project I mentioned got postponed a bit, but it’s almost complete… I’ve used it for live sites already and very soon it should polished enough to be downloaded and used by your average Joe.

]]> By: PHPNewbie http://www.vileworks.com/secure-a-flat-file-using-a-php-extension/comment-page-1#comment-1220 PHPNewbie Sun, 01 Mar 2009 00:41:47 +0000 http://www.vileworks.com/wordpress/?p=16#comment-1220 Hi, I'm just a PHP Newbie, but could you just chmod the datafile access to read/write for owner only or something like that, which in this case would be the PHP script that created the data file and is using it for logins? Aren't there are some host that don't let you have access to .htaccess and/or php.ini! So changing those files wouldn't help. I like your idea about using a php file as a data file with the header/die. You can read the file one line at a time without having to load the whole data file into memory. How is your project going? Newbie. Hi,

I’m just a PHP Newbie, but could you just chmod
the datafile access to read/write for owner only or
something like that, which in this case would be the
PHP script that created the data file and is using
it for logins?

Aren’t there are some host that don’t let you have
access to .htaccess and/or php.ini! So changing those
files wouldn’t help.

I like your idea about using a php file as a data file with
the header/die. You can read the file one line at a time
without having to load the whole data file into memory.

How is your project going?

Newbie.

]]> By: webteh http://www.vileworks.com/secure-a-flat-file-using-a-php-extension/comment-page-1#comment-316 webteh Tue, 09 Dec 2008 23:00:24 +0000 http://www.vileworks.com/wordpress/?p=16#comment-316 .txt file and proper rewrite rules whan accesing .txt file .txt file and proper rewrite rules whan accesing .txt file

]]> By: Stefan http://www.vileworks.com/secure-a-flat-file-using-a-php-extension/comment-page-1#comment-79 Stefan Wed, 15 Oct 2008 12:52:55 +0000 http://www.vileworks.com/wordpress/?p=16#comment-79 @<a href="#comment-74" rel="nofollow">Sorin</a>: As I was saying, using a database would defeat the whole purpose of the project I was working on (and is almost complete, just one more stinkin' bug to solve). The project is something like cushycms.com, only not self hosted and more customizable, and the thing should be stupid simple to set up—just setting the password and an FTP upload. @Sorin: As I was saying, using a database would defeat the whole purpose of the project I was working on (and is almost complete, just one more stinkin’ bug to solve).
The project is something like cushycms.com, only not self hosted and more customizable, and the thing should be stupid simple to set up—just setting the password and an FTP upload.

]]> By: Sorin http://www.vileworks.com/secure-a-flat-file-using-a-php-extension/comment-page-1#comment-74 Sorin Wed, 15 Oct 2008 08:32:05 +0000 http://www.vileworks.com/wordpress/?p=16#comment-74 why don't you try SQLite.. it's not server side dependable.. and you can use a mySQL programing interface :D anyway.. thanks for the tip with the 404 header.. very nice ideea why don’t you try SQLite.. it’s not server side dependable.. and you can use a mySQL programing interface :D
anyway.. thanks for the tip with the 404 header.. very nice ideea

]]> By: Dean http://www.vileworks.com/secure-a-flat-file-using-a-php-extension/comment-page-1#comment-32 Dean Wed, 01 Oct 2008 23:17:32 +0000 http://www.vileworks.com/wordpress/?p=16#comment-32 Another point. If, for some reason the server is not configured correctly to process php files server side then it is entirely possible that the raw php source file could be sent to the user (this happened to facebook a while back) Another point. If, for some reason the server is not configured correctly to process php files server side then it is entirely possible that the raw php source file could be sent to the user (this happened to facebook a while back)

]]> By: Dean http://www.vileworks.com/secure-a-flat-file-using-a-php-extension/comment-page-1#comment-31 Dean Wed, 01 Oct 2008 23:17:16 +0000 http://www.vileworks.com/wordpress/?p=16#comment-31 You could just use htaccess to block access the file in question. The general public would not have to deal with the technical issues as you could ship the product with the htacess file in place already (have the flatfile inside a seperate folder to avoid conflicts with already existing htaccess files (read: so you dont overwrite them). You could just use htaccess to block access the file in question. The general public would not have to deal with the technical issues as you could ship the product with the htacess file in place already (have the flatfile inside a seperate folder to avoid conflicts with already existing htaccess files (read: so you dont overwrite them).

]]> By: Stefan http://www.vileworks.com/secure-a-flat-file-using-a-php-extension/comment-page-1#comment-30 Stefan Wed, 01 Oct 2008 23:15:32 +0000 http://www.vileworks.com/wordpress/?p=16#comment-30 @dean: I thought about that too. But it would complicate things a little for the general public. Nonetheless, I agree, it's a safe classic method. @LGR: Same thing, about the root folder. And as for the obscure folder... I'm planning to release the final product open source. So anyone who would know that a site uses this could study the scripts and file structure and exploit it. And speaking of which, one more step regarding security, is to encourage users to change the name of their data file. @dean: I thought about that too. But it would complicate things a little for the general public. Nonetheless, I agree, it’s a safe classic method.

@LGR: Same thing, about the root folder.
And as for the obscure folder… I’m planning to release the final product open source. So anyone who would know that a site uses this could study the scripts and file structure and exploit it.
And speaking of which, one more step regarding security, is to encourage users to change the name of their data file.

]]> By: Stefan http://www.vileworks.com/secure-a-flat-file-using-a-php-extension/comment-page-1#comment-29 Stefan Wed, 01 Oct 2008 23:15:18 +0000 http://www.vileworks.com/wordpress/?p=16#comment-29 @Jez: The problem is that these information should have to be stored in such a way that would make them easily comprehensible (readable, deletable, updatable) by other scripts. Like a CSV (comma separated values) or in this case, colon separated values. It should allow to easily simulate the main operations you could do on the data in a database for example... at a very simplified level, of course. This is because someone should be able to manage the users, users should be able to manage their own accounts and so on. @Jez: The problem is that these information should have to be stored in such a way that would make them easily comprehensible (readable, deletable, updatable) by other scripts. Like a CSV (comma separated values) or in this case, colon separated values.
It should allow to easily simulate the main operations you could do on the data in a database for example… at a very simplified level, of course.

This is because someone should be able to manage the users, users should be able to manage their own accounts and so on.

]]> By: Dean http://www.vileworks.com/secure-a-flat-file-using-a-php-extension/comment-page-1#comment-28 Dean Wed, 01 Oct 2008 23:13:40 +0000 http://www.vileworks.com/wordpress/?p=16#comment-28 Just placing the file outside of your web root folder will secure it plenty. No need for all the extra stuff! Just placing the file outside of your web root folder will secure it plenty. No need for all the extra stuff!

]]>