mattal999 Posted May 24, 2008 Share Posted May 24, 2008 Hey, I have a website hosting script which uses a text file for usernames and passwords. I know it is not the best but i want to use flat-files only. Is there any way that i can make it so that people can not view it, but PHP's fopen() command still can? Thanks Quote Link to comment Share on other sites More sharing options...
deadonarrival Posted May 24, 2008 Share Posted May 24, 2008 put it above your document root. Eg on an apache server, you have youraccount/www/ as your document root. If you put your file which accesses the txt file in youraccount/ not youraccount/www/ it can't be accessed directly. You can do this by just using ../filename.txt instead of filename.txt as the access. There's also, I think, a $_SERVER['DOCUMENT_ROOT'] variable, but I'm not 100% on that. Other options: It's possible to make your password file into a php file... just put <?php /* on the first line, and */ ?> on the last line and save them as .php, then remove these (substr?) when parsing the file. It makes it a bit trickier to work with, but if someone goes to yoursite.com/passwords.php they just get a blank document. DEFINATELY use .htaccess if on apache to deny access to the file, wherever you put it. And Encrypt the passwords (minimum of md5, preferable sha1/sha512 [my preferred is sha512])!!! That way if someone does get hold of your password file, they don't get the actual plaintext, just the hashed form of it. Personally I'd put it above the document root, encrypted and protected by .htaccess - making it into a .php file is a lot of trouble. Finally, consider using sqllite instead of fopen, it gives you the sql access without the server - it's basically an fopen replacement. It's not really any more secure, but it'll save you headaches in the future Quote Link to comment Share on other sites More sharing options...
Psycho Posted May 24, 2008 Share Posted May 24, 2008 Actually, I think making the file into a PHP file is a good idea. If you were to make the file a simple PHP file which was nothing more than an array conatining the usernames & passwords, then only scripts including that file on your server would "obtain" the values. Anything trying to access the file externally would only get a blank page (because it would be interpreted by the server first) Example: <?php $users = array ( ['username1'] = 'password1', ['username2'] = 'password2', ['username3'] = 'password3' ); ?> Quote Link to comment Share on other sites More sharing options...
mattal999 Posted May 24, 2008 Author Share Posted May 24, 2008 thanks a lot guys! i used a php file but not an array, just a string to help the way it read! Thanks again Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.