Protect file in web root but give access from php

Question

I have a situation where I want to protect a file from public access, but enable read and write from php. The file contains sensitive information like passwords.

The problem is that

• I cannot put the file outside the web root (server security restriction on access from php)
• I would like to avoid mysql database.

Also I would try to avoid .htacess files.

So if I make a folder, say private, in the web root, and do

chmod 700 private

Then, if the file to protect is private/data, I do

chmod 700 private/file

will this be a safe setup? So now I can read and write to the file from php but it is not accessible for the public?

Is this a safe setup?

Answer 1

If want to keep the restrictions stipulated (which are rather strange), and as (i guess) you do not wish/have access to apache config directives, consider adding PHP to some group and give the group only rights to the file, ie. apache cannot read (if its not in root/wheel).

Or make it a valid .php file (so only php would be invoker when the file is requested) which returns nothing or redirects when invoked with php. or just cipher it.

Answer 2

If you're running suPHP or fastCGI php, you can use a setup similar to what you've described to limit access to files. Otherwise, PHP will use the same user as the web server, and any file PHP can access is also accessible via url.

Answer 3

PHP runs as the same user as the webserver so if PHP can read it, so can your webserver (and vice versa).

If you don't want to use .htaccess there is another trick: save the file as a .php file. Even if someone accesses the file from the web they can't see the source, they might just get a white page or maybe an error depending on what exactly is in the file.