Welcome to WebmasterWorld Guest from 220.127.116.11
I have a PHP login script that works fine, and uses separate users.dat and log.dat files that are in plain text format (the passwords are md5 encoded). I don't want these to be at the document root level or below, and according to what I've seen written, it would be correct to place them one directory up from the www root.
My web host file structure is as follows:
/home/myname/mainwebsite_cgi -> ../../var/www/cgi-bin
..................../mainwebsite_html -> ../../var/www/html
..................../mainwebsite_perl -> ../../var/www/perl
where all the mainwebsite directories above are symbolic links to /var/www/html
I can't create folders under the /var structure at all (probably wise), but can under the /home/myname structure.
The problem that I have is, how does my PHP login script (www.mysite.com/html/login.php) refer back to the users.dat file (/home/myname/user_data/users.dat)?
In other words, how do I get my Login.php script under the publlic access www domain to read and write to the users.dat and log.dat under my host home directory structure...
I've tried absolute server referencing (/home/myname/user_data/users.dat), relative referencing (but that just ends up traversing the /var directory due to the symbolic links), and of course, domain referencing is no good as it's outside the document root.
I've seen loads of references to protecting sensitive files by placing them one step back from the document root, but no explanation of how to refer to them.
I hope someone can make some sense of the above...
I've tried to create a directory there, but I don't have the necessary permissions. It appears the web host has restricted abilities to create anything to my /home structure and anything under the html, cgi-bin and perl directories in /var/www (sensible probably :-).
Consider the new dir location from the point of view of the web directory. I.E. if the new dir is on the same level as www then referring to it is as simple as ../newdir/filename.ext? This is how I work with a similar structure on a few of my websites.
If you're looking for an absolute path then you'll need to work with the symbolic link structure. Create the directory and then figure out the equivalent symbolic link and use that.
Effectively this means that the files must reside somewhere under /home, but how can I refer to that from the web root structure (or can I even do that)?
The symbolic links are under root ownership, but everyting else is mine...
The web root is actually /var/www/html.
My home directory is /home.
There are 3 symbolic links in my home directory to /var/www/html, /var/www/cgi-bin and /var/www/perl.
I can create anything under /home and within any of the 3 symbolically linked directories above, but nothing anywhere else.
I appreciate your help (and patience) - as you may have guessed, I'm quite new to web building (but I'm an adequate C++ programmer :-).
I am the admin of the site, so I guess the host must have it locked down?
I've just looked at the permissions of the www directory and it's owned by root...
Firstly, Welcome to WebmasterWorld [webmasterworld.com]!
Have you got command line access to the server, either Telnet or SSH?
and if so, can you not do a 'chown' on the folder to your user.
Have you also tried putting
[edited by: wruk999 at 6:15 pm (utc) on April 14, 2003]
Ah, I see what you mean about the directory access using .htaccess - I'll read it properly next time ;-)
I'll see what the host replies with, it may well come to that yet...
I've read about allowing only server access Wruk999, but I've no idea how to go about it :-/
Maybe it is something along the lines of restricting all access except from your servers IP.
Or the service name of your web server: wwwrun.nobody (as an exmaple)
Lorax, can you advise on this?
AuthName "Some Name"
This will not allow anyone to access the dir using HTTP(s) since there is no uname/pwd access file for it to use but it should allow your script to request a file within the dir.
It should be noted that this is not guaranteed secure. But it's better than nothing.
lorax, the .htaccess example prevented www access to the files, but unfortunately also prevented browser access. I would have perservered, but then I tried wruk999's suggestion of the phpinfo() page...
I created the page, accessed it, downloaded it and then deleted it from the server. It revealed the internal /root path for me and it works a treat :-)
I couldn't have guessed it in a month of Sundays though!
Anyway, thanks for the perserverence guys, it's all working now :-)
That's correct. That's what it was designed to do. BUT your script should have been able to access anyfiles within that directory. Hopefully you didn't place the .htaccess file in the webroot as it is designed to be placed within a directory that only contains the files you want a script to access.
As long as you have a working solution - that's what matters.