htaccess and php

RedDragon

hi i need some help for my forum software located at http://www.flashbb.net

i have an directory logs with a file x.log (chmodded to 777) in it
everybody can now download the x.log...

i need an htaccess file which prevents users from doing that, but the php script should still be able to write to that file!

does anybody know how to do that?

daphreeek

make a new directory and put the file you write to in that directory and chmod 777 it then put a .htaccess file in the directory with these lines:

<Limit GET>
order deny,allow
Deny from all
</LIMIT>

That should work. It did for me 🙂 Then all you need 2 do is make your script that writes to the file point into the new directory.

Another way is to put the file outside your web directory. If you have your own server, and your document root is c:/webserver/htdocs (or woteva) then put it in a dir above (eg: c:/webserver) as these files are not accessable from the web but are by your php scripts.

However, if you don't have your own server, it may not be possible to go above your dir. With some hosts you can. If you have a public_html dir then put it above that or in a cgi-bin.

Hope that helps. The first method is easiest because you can keep all your non-public logs... in that directory 🙂

Matt

PyroX

Just remember, 777 is not safe.

daphreeek

meh.... safety and internet - mmmmmhhhhmmmmmmmmm. if anyone really wanted to get ur stuff, they could and not a lot can stop em.

I mean, I accidentally stumbled accross a huge security hole in my host's security and could access/change/delete any data on thier server if i wanted to including confidential user info and other users websites. of course i didnt and just told the webmaster bout it - but still....

security/privacy is just an illusion on the net - its a risk we must take if we use it.

and before you ask - yes I am a psyco 🙂

well - with that said, you should be careful as pyrox said because ppl can exploit the chmod 777 but it isnt overly likely. Just be careful.

Matt

PyroX

From RedDragon's site.

Is this 'demo' supposed to be this way:
http://flashbb.net/live/

RGBlackmore

you dont need htaccess.

chown user.user log.x
chmod 600 log.x

where user.user is the user and group in wich apache runs (if you compile from sources.. nobody)

if you use apache for windows.... htaccess 😃