homepage Welcome to WebmasterWorld Guest from 54.205.247.203
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Visit PubCon.com
Home / Forums Index / WebmasterWorld / New To Web Development
Forum Library, Charter, Moderators: brotherhood of lan & mack

New To Web Development Forum

    
How do I reference files one level up from the document root?
User login details contained within a text file...
Blackcat_UK




msg:967675
 4:07 pm on Apr 14, 2003 (gmt 0)

I've been searching the web all day for some form of answer to this but with no joy...

I have a PHP login script that works fine, and uses separate users.dat and log.dat files that are in plain text format (the passwords are md5 encoded). I don't want these to be at the document root level or below, and according to what I've seen written, it would be correct to place them one directory up from the www root.

My web host file structure is as follows:

/home/myname/mainwebsite_cgi -> ../../var/www/cgi-bin
..................../mainwebsite_html -> ../../var/www/html
..................../mainwebsite_perl -> ../../var/www/perl

where all the mainwebsite directories above are symbolic links to /var/www/html
..................................................................................................../perl
..................................................................................................../cgi-bin

I can't create folders under the /var structure at all (probably wise), but can under the /home/myname structure.

The problem that I have is, how does my PHP login script (www.mysite.com/html/login.php) refer back to the users.dat file (/home/myname/user_data/users.dat)?

In other words, how do I get my Login.php script under the publlic access www domain to read and write to the users.dat and log.dat under my host home directory structure...

I've tried absolute server referencing (/home/myname/user_data/users.dat), relative referencing (but that just ends up traversing the /var directory due to the symbolic links), and of course, domain referencing is no good as it's outside the document root.

I've seen loads of references to protecting sensitive files by placing them one step back from the document root, but no explanation of how to refer to them.

I hope someone can make some sense of the above...
Thanks.

 

SinclairUser




msg:967676
 4:23 pm on Apr 14, 2003 (gmt 0)

I am not sure how you would do it in PHP but in Perl I simply put the files one level above web root and open the file - read the values into variables - use variables in the connection or whatever.

There are probably clever ways to do it - but this works for me.

Blackcat_UK




msg:967677
 4:31 pm on Apr 14, 2003 (gmt 0)

So, in my case (referring to the blurb in my initial post), you'd place the files in /var/www?

I've tried to create a directory there, but I don't have the necessary permissions. It appears the web host has restricted abilities to create anything to my /home structure and anything under the html, cgi-bin and perl directories in /var/www (sensible probably :-).

lorax




msg:967678
 4:43 pm on Apr 14, 2003 (gmt 0)

Perhaps I'm not understanding something but wouldn't this work?

Consider the new dir location from the point of view of the web directory. I.E. if the new dir is on the same level as www then referring to it is as simple as ../newdir/filename.ext? This is how I work with a similar structure on a few of my websites.

If you're looking for an absolute path then you'll need to work with the symbolic link structure. Create the directory and then figure out the equivalent symbolic link and use that.

lorax




msg:967679
 4:45 pm on Apr 14, 2003 (gmt 0)

Ah.. just read your latest post.

So you're not allowed to create anything outside of the webroot correct?

Blackcat_UK




msg:967680
 5:01 pm on Apr 14, 2003 (gmt 0)

Yes, as far as I can tell, I can only create in web root (and down, of course) and under the /home structure.

Effectively this means that the files must reside somewhere under /home, but how can I refer to that from the web root structure (or can I even do that)?

The symbolic links are under root ownership, but everyting else is mine...

lorax




msg:967681
 5:11 pm on Apr 14, 2003 (gmt 0)

First let's agree on terminology. When I refer to webroot I mean the equivalent of www.yourdomain.com. If this is also equal to /home/www/ and you can get to and create a dir under /home/ then you're golden. If you can't then you're stuck.

Blackcat_UK




msg:967682
 5:20 pm on Apr 14, 2003 (gmt 0)

Yes, I'm familiar with the terminology ;-) It's just the actual doing that lets me down :-)

The web root is actually /var/www/html.

My home directory is /home.

There are 3 symbolic links in my home directory to /var/www/html, /var/www/cgi-bin and /var/www/perl.

I can create anything under /home and within any of the 3 symbolically linked directories above, but nothing anywhere else.

I appreciate your help (and patience) - as you may have guessed, I'm quite new to web building (but I'm an adequate C++ programmer :-).

lorax




msg:967683
 5:46 pm on Apr 14, 2003 (gmt 0)

Hmm.. so you can't create /var/www/users/ for example?

Blackcat_UK




msg:967684
 6:07 pm on Apr 14, 2003 (gmt 0)

No - I've just tried to vi and save a standard text file under /var/www, but it says it can't open the file for writing when I try to save (the file isn't created). I've also tried to create a directory as well, but get the 'Permission denied' message.

I am the admin of the site, so I guess the host must have it locked down?

I've just looked at the permissions of the www directory and it's owned by root...

wruk999




msg:967685
 6:14 pm on Apr 14, 2003 (gmt 0)

Blackcat_UK,

Firstly, Welcome to WebmasterWorld [webmasterworld.com]!

Have you got command line access to the server, either Telnet or SSH?
and if so, can you not do a 'chown' on the folder to your user.

Have you also tried putting

<?
phpinfo();
?>

into a text file and seeing _exactly_ the location of your files?

wruk999

[edited by: wruk999 at 6:15 pm (utc) on April 14, 2003]

lorax




msg:967686
 6:15 pm on Apr 14, 2003 (gmt 0)

What are you using to create the directory with? Have you tried using an FTP program or are you using SSH?

Blackcat_UK




msg:967687
 6:35 pm on Apr 14, 2003 (gmt 0)

I'm using SSH. I'll try the chown in a minute or two - eating :-)

lorax




msg:967688
 6:54 pm on Apr 14, 2003 (gmt 0)

Eating is highly overated. ;) Let us know what you find out.

wruk999




msg:967689
 7:10 pm on Apr 14, 2003 (gmt 0)

>> highly overrated, but unfortunately necessary for life! :( lol

If you are using SSH then you will most likely be logging in as root? hence you will be creating dir's and they will be owned by root.

wruk999

Blackcat_UK




msg:967690
 7:18 pm on Apr 14, 2003 (gmt 0)

Eating was over-rated (but don't tell the wife ;-)

I've logged in and tried to chown 'www', but I'm not permitted.

If I do 'id -un' it tells me that I'm logged in as 'blackcat' (my user name).

I think a mail to my host may be in order...

lorax




msg:967691
 7:24 pm on Apr 14, 2003 (gmt 0)

I assume then that you cannot create the directory using a standard FTP client either. So, you should contact the host and see if you're missing something. You could create a dir within the webspace and use .htaccess to control permissions but it is riskier.

Blackcat_UK




msg:967692
 7:37 pm on Apr 14, 2003 (gmt 0)

Yes, I know about the .htaccess, but I wanted the PHP approach. I'll contact the host and see what they say.

Thanks guys :-)

wruk999




msg:967693
 7:50 pm on Apr 14, 2003 (gmt 0)

Blackcat,

I think lorax meant that you could control access to the file directory...not as an actual user control system.

You could protect the text files by only allowing the server to access the directory with the files in.

Regards,
wruk999

lorax




msg:967694
 7:55 pm on Apr 14, 2003 (gmt 0)

>> I think lorax meant that you could control access to the file directory...not as an actual user control system.

That's correct. :)

Blackcat_UK




msg:967695
 7:55 pm on Apr 14, 2003 (gmt 0)

I've fired off a query to the host about the way the server is set up (politely, of course).

Ah, I see what you mean about the directory access using .htaccess - I'll read it properly next time ;-)

I'll see what the host replies with, it may well come to that yet...

I've read about allowing only server access Wruk999, but I've no idea how to go about it :-/

wruk999




msg:967696
 8:03 pm on Apr 14, 2003 (gmt 0)

I have only ever used .htaccess for basic user-authentication, and for php user systems I use MySQL.

Maybe it is something along the lines of restricting all access except from your servers IP.
Or the service name of your web server: wwwrun.nobody (as an exmaple)

Lorax, can you advise on this?

wruk999

lorax




msg:967697
 8:25 pm on Apr 14, 2003 (gmt 0)

In your .htaccess file use:

AuthName "Some Name"
AuthType Basic

AuthUserFile /dev/null
Require valid-user

This will not allow anyone to access the dir using HTTP(s) since there is no uname/pwd access file for it to use but it should allow your script to request a file within the dir.

It should be noted that this is not guaranteed secure. But it's better than nothing.

Blackcat_UK




msg:967698
 8:34 pm on Apr 14, 2003 (gmt 0)

Thanks guys - I'll try that :-)

Blackcat_UK




msg:967699
 7:47 pm on Apr 15, 2003 (gmt 0)

I just want to say a big thank you guys :-)

lorax, the .htaccess example prevented www access to the files, but unfortunately also prevented browser access. I would have perservered, but then I tried wruk999's suggestion of the phpinfo() page...

I created the page, accessed it, downloaded it and then deleted it from the server. It revealed the internal /root path for me and it works a treat :-)

I couldn't have guessed it in a month of Sundays though!

Anyway, thanks for the perserverence guys, it's all working now :-)

wruk999




msg:967700
 7:52 pm on Apr 15, 2003 (gmt 0)

No probs - I'm glad lorax stopped by to hint about the htaccess.
Glad that you got it all sorted out in the end! :)

Regards,
wruk999

lorax




msg:967701
 7:58 pm on Apr 15, 2003 (gmt 0)

>> lorax, the .htaccess example prevented www access to the files, but unfortunately also prevented browser access.

That's correct. That's what it was designed to do. BUT your script should have been able to access anyfiles within that directory. Hopefully you didn't place the .htaccess file in the webroot as it is designed to be placed within a directory that only contains the files you want a script to access.

As long as you have a working solution - that's what matters.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / New To Web Development
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved