Reputation: 5068
What permission do I set for a file/folder allow read from PHP but not from browser?
What permission do I set for a file/folder allow read from PHP but not from browser?
It is a basic users.txt file with username and password.
Upvotes: 0
Views: 440
Answers (1)
Reputation: 3158
Don't put it in the webroot or public_html directory.
So, for example, instead of:
/var/www/example.com/public_html/secret.file - // or whatever your server is serving as the domain's root ---
something like:
/usr/share/php-files/this/path/is/ultimately/arbitrary/secret.txt -- it doesn't matter where you put the file, as long as you tell php where the file is.
If you want to be extra careful, the permissions should be 600 - if you don't plan to write on it, yourself. And don't forget to chown it to whatever your php/webserver user is (typically www-data).
But if it is in the webroot directory, it doesn't matter -- people can get the file and change the permissions afterward. Simply because the user is requesting the file from the webserver, and the webserver has permissions to read it -- the webserver can and will pass the file along as long as it is in a web-accessible directory.
I've seen clients that make this mistake all the time -- leaving horrendous things like
full-site.tar.gz and all-our-clients'personal-information.sql --
It isn't hard to keep those things out of the web-root...
Upvotes: 3
Related Questions
- Restrict Index File In Machine
- Allow scripts to read a file but prevent users from viewing the file directly
- Setting file permissions on a web server
- how to restrict access to directory so I can run php scripts from browser
- Proper permissions, ownership to allow php to parse contents of file but disallow access from web browser
- How to make .PHP file only accessible to the server?
- Directory Protection from web access
- Directory that apache can write to from PHP but will not serve files from
- text file permissions to restrict browser access
- Readable file only by PHP