Welcome to WebmasterWorld Guest from 220.127.116.11
Is there a way so that PHP "registers" itself with my password and user-id before making the changes and therefore gets the right to modify .htaccess?
Or maybe can a PHP script enter into FTP mode and make changes to files (when as I said PHP is registered as others)?
So all this can be done with FTP, right?
Now as I understand it, if I use the ftp_login ($conn_id, $username, $userpwd) I have to store my user ID and password in the PHP script. Is there a way somebody could download this PHP script and get my password?
You are able to change permissions using an FTP client. An easy solution (example using *nix) is to change the write permissions on your .htaccess file to 775 (owner/group/anyone) and change the group on the .htaccess file to "others". The .htaccess file would then be owned by your login, and group "others".
Another solution is to explore directives that can be given to change the webserver group within the .htaccess file. This can be done depending on the "AllowOverride" status given to the webserver by your provider. see apache.org for details.
Concerning the directives option, I'm not too familiar with Apache directives, so I wouldn't know what to do.
But coming back to my other question, how dangerous is it to put user ID and password in a PHP script?
Short of a more sophisticated solution, if you are trying to control access via .htaccess username/ pass, is it possible to change an .htaccess file on your computer and then ftp it to the production server giving it the correct rights?
Since the PHP script can't modify directly .htaccess, one way of doing this would be via FTP. But I'd have to put password and user ID into the script.
just a file that says
$username = "whatever";
$password = "somepass";
or just put the script below root as well. Or setup some measure in the script itself to make sure it is only called from that one file. There are probably more.
deny from all
1. In spite of the 666 permissions will other users NOT be able to read/write .htaccess?
2. Will the PHP script be able to modify .htaccess?
I'm still undecided whether to set the permissions of .htaccess to 666 or store password and user id on site in a well protected place.
Well, maybe I should simply set .htaccess to 666. The worst that can happen is that somebody changes it to a deny from all, effectively shutting off the site. But if an attacker finds password and user id, he/she can delete everything or upload everything he/she wants.