March 13th, 2003, 05:34 AM
how can I restrict write access of a text file to be for a php program only
Hi, I have a form that takes user input and delivers it to a php program that writes that input to a text file that is located in the same directory as the php file on the server. The php program was denied write access to the text file untill I turned the properites of the text file on the server to accept write access from everyone. But now anyone can write a small program and write what ever they want to the file or delete its contents. Is there a way to set things up so that the php file can write to the text file without turning the write access for it to on for everyone. I am new to all this and expect that there is a simple way to do that.
March 13th, 2003, 11:20 AM
You could take the text file out of a web readable directory
Like if its loccated in: /username/wwwroot /
change it to be in: /username/
That way people cant acess it from the browser but the server still can use it to process your pages
All the best
March 13th, 2003, 11:49 AM
If you are in a shared hosting environment, there is nothing you can do about it.
Your ISP though could (and should!) setup chroot() or if he doesn´t allow any serverside programming but PHP (and no shell access either), he could activate the "safe mode".
March 14th, 2003, 10:32 AM
try PHP-cgiwrap... it's just like cgiwrap for perl...
just remember to put a different extension for the file that writes to the text file.. (phtml or something) otherwise all your php files will run under your username...
hope this helps
Stand out for justice as witnesses to God
March 14th, 2003, 12:48 PM
Hi wizards, I am new to the word of PHP and running programs off the net. I searched for information about PHP-cgiwrap on the net but I am not sure if I understood why it would be used in general and in my case in particular.
Does that mean anyone can run the php file but the server will act as if I ran it and since I have write permession to the text file, the php script will be able to write to it. Thus I do not have to grant write access on the text file for everyone and that solves my problem. Is that right ?
Here I like to ask another question, if I put the text file in a directory below the root, can php files on other servers access it or only php files on the same server ?
March 14th, 2003, 01:20 PM
do you have any idea of cgiwrap with perl?? php-cgiwrap is similar to that.
if you place a script below your document root, the whole world can access it, unles you place some security. one of the things you can do, is place it in a directory and password protect it using .htaccess. For info on this search the net for ".htaccess tutorials" and take a look at this site :http://www.freewebmasterhelp.com/tutorials/htaccess/3
you can access the files above your document root through php scripts.. but you will have to provide the COMPLETE PATH to those scripts . you cannot just write include ('../CONFIG/blah.php'), you will have to write include (/usr/bin/blah.php');
all you have to do is place a php4.cgi (if you are running php4) in the directory you want to run php-cgiwrap scripts or a directory above them and open your .htaccess file and type these commands in it:
line 1:Action application/x-pair-sphp4 /cgi-sys/php-cgiwrap/username/php4.cgi
line2:AddType application/x-pair-sphp4 .phtml
(the second line will make all files with .phtml to run in your username.
replace username with your actual username and put the path of the place where you put your php4.cgi... but if you do this you will not be able to use some extensions like mcrypt (which are not in core php)
also check with your isp before doing this. they may have different paths to cgiwrap ,etc
you can chmod the text file 700 and write to it through php file of extension .pthml (if you place the exact commands above in ur .htaccess)
Stand out for justice as witnesses to God
March 14th, 2003, 01:22 PM
March 14th, 2003, 07:43 PM
Thanks a lot wizards, I carefully read what you wrote and info in the links you provided and others.
So I understand that using php-cgiwrap offers the best protection. On the other hand, placing the text file above www root will only protect from users outside of the shared server I am on. If the server was didicated, placing the text file above the www root will be enough. I think I got it right ?? I will search for php4.cgi and use it.
By the way, I know nothing about Perl.