Hey,

I've been wondering how to make sure my flat file database is secure. I did a search on this forum and the majority of replies seem to focus on the following :

"keep it outside (one level up) of your web root...
then when you want to call it/write to it:
call:
$DOCUMENT_ROOT/../flatfile.txt

that way, only the php webserver can read it"
~anon

I tried doing that but I don't think it made it very secure.
The folder that has all web data on it is : /export/httpd/vhosts/studentorgs/data/racquetball

so I placed those files in :
/export/httpd/vhosts/studentorgs/data/

unfortunatley when I ttry to access the file I have in the data folder, I can eaisly do so by using my web browser (so I came to the conclusion that the webserver wasn't restricing access.

To find out what was happening I typed in phpinfo() and got this :

DOCUMENT_ROOT /export/httpd/vhosts/studentorgs/data

So i figure I'm putting the files in the right directory.

Currently the only security measure I have is that the .txt file has a very random name, something like : 1232354jladksfdsafuiownx.txt (making it hard to find for hackers).

Is there anything else I can do to make it secure?

One more question I have is that if I change chmod to 777 (so that the php file can write to it) does that mean anyone can access and modify the file?

thanks,
iceanfire

    you placed the file in your root directory. you need to place it outside. ie: /export/httpd/vhosts/studentorgs

    but then, the chances are... you might not even have access to this directory. what kind of file is it? (unless your using sqlite - its really not a database) you can use some .htaccess trickory to prohibit files of a certain type from being displayed.

      I don't have access to that directory. It's on a university server so they tend to be very protective about stuff. Currently I'm just using a txt file with all the info in it, but I'm pretty sure I can change the filetype eaisly.

      will the chmod 777 allow people to edit the file? or would they need access to the server for that? I do have the ability to add htaaccess files into subdirectories, let me know if you have any tips on how to implement that.

      much thanks,
      iceanfire

        If your uni host won't allow you to create files outside the web area, you may (depending on how your webserver is configured) be able to use access to prevent people from browsing into that directory and displaying your file. It will still be available for your scripts to fopen().

        Here's a quick .htaccess tutorial .

          Write a Reply...