Write to text file outside of webroot directory

Question

I am trying to use PHP to read and write from a text file. A file is read using a button on an html page. The file is written using a button on an html page that takes a parameter from a textbox. I was successful in writing to a text file when the text file is in the webroot directory. I want to be able to read/write from a text file that lives outside of the webroot directory.

I am using lighttpd with PHP on a Beaglebone. The webroot directory is located at /var/www. The text file that I want to edit will be located at /var/textFiles. I have looked around everywhere for solutions, but none seem to work.

The following is the most promising solution that I have found, but it does not seem to work. When I click the "read" or the "write" button the page seems to be stuck in an infinite loop. I was wondering if anyone knows why this doesn't work or if they can offer a better solution.

This is what I have so far:

index.php

<?php 
echo '<script language="javascript" type="text/javascript" src="jquery-1.9.0.min.js"></script>';
echo "<form name='write' action='writeFunctionCaller.php' method='post'>Input text to 
write to text file: <input type='text' name='input'>
<input type='submit' value='Write' ></form>
<form name = 'read' action='readFunctionCaller.php' method='get'>
<input type='submit' value='Read'></form><br><div id='fileContent'></div>";

class readWriteModel {

   function readFile() {
        $file_handle = fopen("secure.php?file=phpRead.txt", "r");
        while (!feof($file_handle)) {
            $line = fgets($file_handle);
            echo $line;
            echo '<br>';
        }
        fclose($file_handle); 
    }

    function writeFile($text) {
        echo ("Write Success! ");
        $filename = "secure.php?file=phpRead.txt";
        file_put_contents($filename, $text, FILE_APPEND | LOCK_EX);
    }
}
?>

secure.php

<?php
//validate that the user should have access to the file here

//Make sure it exists
$folder = realpath('/var/textFiles');
if(!$file = realpath($folder.'/'.$_GET['file']))
    error(404);
if(!is_file($file))
    error(404);

//Check for cheaters
if(substr($file,0,strlen($folder)) !== $folder)
    error(401);

header(sprintf("Content-type: %s;",getMimeType($file)));
readfile($file);
exit;

function error ( $code = 401, $msg = null ) {
    $msgs = array(
      400 => 'Bad Request',
      401 => 'Unauthorized',
      402 => 'Payment Required',
      403 => 'Forbidden',
      404 => 'Not Found',
    );
    if(!$msg) $msg = $msgs[$code];
    header(sprintf('HTTP/1.0 %s %s',$code,$msg));
    printf('<html><head><title>%s %s</title></head><body><h1>%s</h1></body> 
    </html>',$code,$msg,$msg);
    exit;
}

function getMimeType ( $filename ) {
    //MIME MAP
    $mime_extension_map = array(
    'txt'           => 'text/plain',
    );
    //Get Extension
    $ext = strtolower(substr($filename,strrpos($filename,'.') + 1));
    if(empty($ext))
      return 'application/octet-stream';
    elseif(isset($mime_extension_map[$ext]))
      return $mime_extension_map[$ext];
    return 'x-extension/' . $ext;
}
?>

writeFunctionCaller.php

<?php 
include_once('index.php');
$text = $_POST['input'];
$model = new readWriteModel();
$model->writeFile($text);
?>

readFunctionCaller.php

<?php 
include_once('index.php');
$model = new readWriteModel();
$model->readFile();
?>

Answer 1

I was able to read and write from a text file outside of the root directory. Just for the sake of seeing if it works, I set the directory above the webroot directory /varpermissions to 777, and the phpRead.txtto 777and referenced the file using the absolute path of /var/textFiles/phpRead.txt This is definitely not the most secure way of doing this, so if you are reading and writing to files outside of the webroot directory, see the following stackoverflow answer: https://stackoverflow.com/a/3012330/2047335 for more information on PHP security.

The following are the files I used to read/write to a text file above the webroot directory:

index.php:

<?php 
echo '<script language="javascript" type="text/javascript" src="jquery-1.9.0.min.js"></script>';

echo "<form name='write' action='writeFunctionCaller.php' method='post'>";
echo    "Input text to write to text file: <input type='text' name='input'><input type='submit' value='Write' >";
echo "</form>";

echo "<form name = 'read' action='readFunctionCaller.php' method='get'>";
echo    "<input type='submit' value='Read'>";
echo "</form>";
echo "<br>";
echo "<div id='fileContent'></div>";

class readWriteModel{
  function readFile() {
  $file_handle = fopen("/var/textFiles/phpRead.txt", "r");
  while (!feof($file_handle)) {
   $line = fgets($file_handle);
   echo $line;
   echo '<br>';
   }
  fclose($file_handle); 
  }
  function writeFile($text) {
   echo ("Write Success! ");
   $filename = "/var/textFiles/phpRead.txt";
   file_put_contents($filename, $text, FILE_APPEND | LOCK_EX);
   }
}

?>

readFunctionCaller.php:

<?php 
include_once('index.php');
$model = new readWriteModel();
$model->readFile();
?>

writeFunctionCaller.php:

<?php
include_once('index.php');
$text = $_POST['input'];
$model = new readWriteModel();
$model->writeFile($text);
?>

Image of the user interface:

Thank you all for your help!

Answer 2

Writing to a file outside the web directory is not any different than writing inside the web directory, a good practice is using absolute paths when writing to files, this will help you lots of troubles, and of course make sure that apache has the right permission to perform the desired action on the file.