#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2003
    Posts
    13
    Rep Power
    0

    how can I restrict write access of a text file to be for a php program only


    Hi, I have a form that takes user input and delivers it to a php program that writes that input to a text file that is located in the same directory as the php file on the server. The php program was denied write access to the text file untill I turned the properites of the text file on the server to accept write access from everyone. But now anyone can write a small program and write what ever they want to the file or delete its contents. Is there a way to set things up so that the php file can write to the text file without turning the write access for it to on for everyone. I am new to all this and expect that there is a simple way to do that.

    Thanks
    Sam
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2003
    Posts
    164
    Rep Power
    12
    You could take the text file out of a web readable directory

    Like if its loccated in: /username/wwwroot /
    change it to be in: /username/

    That way people cant acess it from the browser but the server still can use it to process your pages

    All the best
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    Oct 2000
    Location
    Back in the real world.
    Posts
    5,966
    Rep Power
    191
    If you are in a shared hosting environment, there is nothing you can do about it.
    Your ISP though could (and should!) setup chroot() or if he doesn´t allow any serverside programming but PHP (and no shell access either), he could activate the "safe mode".
  6. #4
  7. No Profile Picture
    The Wizard
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2003
    Posts
    128
    Rep Power
    12
    try PHP-cgiwrap... it's just like cgiwrap for perl...

    just remember to put a different extension for the file that writes to the text file.. (phtml or something) otherwise all your php files will run under your username...

    hope this helps
    Stand out for justice as witnesses to God
  8. #5
  9. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2003
    Posts
    13
    Rep Power
    0
    Hi wizards, I am new to the word of PHP and running programs off the net. I searched for information about PHP-cgiwrap on the net but I am not sure if I understood why it would be used in general and in my case in particular.

    Does that mean anyone can run the php file but the server will act as if I ran it and since I have write permession to the text file, the php script will be able to write to it. Thus I do not have to grant write access on the text file for everyone and that solves my problem. Is that right ?

    Here I like to ask another question, if I put the text file in a directory below the root, can php files on other servers access it or only php files on the same server ?

    Thanks,
    Salam
  10. #6
  11. No Profile Picture
    The Wizard
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2003
    Posts
    128
    Rep Power
    12
    do you have any idea of cgiwrap with perl?? php-cgiwrap is similar to that.

    if you place a script below your document root, the whole world can access it, unles you place some security. one of the things you can do, is place it in a directory and password protect it using .htaccess. For info on this search the net for ".htaccess tutorials" and take a look at this site :http://www.freewebmasterhelp.com/tutorials/htaccess/3

    you can access the files above your document root through php scripts.. but you will have to provide the COMPLETE PATH to those scripts . you cannot just write include ('../CONFIG/blah.php'), you will have to write include (/usr/bin/blah.php');

    about php-cgiwrap:

    all you have to do is place a php4.cgi (if you are running php4) in the directory you want to run php-cgiwrap scripts or a directory above them and open your .htaccess file and type these commands in it:

    line 1:Action application/x-pair-sphp4 /cgi-sys/php-cgiwrap/username/php4.cgi
    line2:AddType application/x-pair-sphp4 .phtml

    (the second line will make all files with .phtml to run in your username.

    replace username with your actual username and put the path of the place where you put your php4.cgi... but if you do this you will not be able to use some extensions like mcrypt (which are not in core php)

    also check with your isp before doing this. they may have different paths to cgiwrap ,etc

    you can chmod the text file 700 and write to it through php file of extension .pthml (if you place the exact commands above in ur .htaccess)
    Stand out for justice as witnesses to God
  12. #7
  13. No Profile Picture
    The Wizard
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2003
    Posts
    128
    Rep Power
    12
    you might want to take a look at this too. it is the home page of cgiwrap is : http://www.unixtools.org/cgiwrap/
    Stand out for justice as witnesses to God
  14. #8
  15. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2003
    Posts
    13
    Rep Power
    0
    Thanks a lot wizards, I carefully read what you wrote and info in the links you provided and others.

    So I understand that using php-cgiwrap offers the best protection. On the other hand, placing the text file above www root will only protect from users outside of the shared server I am on. If the server was didicated, placing the text file above the www root will be enough. I think I got it right ?? I will search for php4.cgi and use it.

    By the way, I know nothing about Perl.

    Thanks again,
    Salam

IMN logo majestic logo threadwatch logo seochat tools logo