Welcome to WebmasterWorld Guest from 23.20.137.66

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

PHP modifying files

... when PHP is registered as 'others' on the Apache server

     
1:18 pm on Sep 12, 2002 (gmt 0)

10+ Year Member



I am trying to write a PHP script which modifies .htaccess. However PHP is installed on the Apache server of my provider as 'others'. The only way to enable the PHP script to modify the file would be to set the permissions of .htaccess to 666, i.e. granting everybody read/write rights.
But I can't do this for security reasons.

Is there a way so that PHP "registers" itself with my password and user-id before making the changes and therefore gets the right to modify .htaccess?

Or maybe can a PHP script enter into FTP mode and make changes to files (when as I said PHP is registered as others)?

1:27 pm on Sep 12, 2002 (gmt 0)

10+ Year Member



Replying to myself...
Just checked the PHP manual and there indeed seem to be FTP functions available.

So all this can be done with FTP, right?

Now as I understand it, if I use the ftp_login ($conn_id, $username, $userpwd) I have to store my user ID and password in the PHP script. Is there a way somebody could download this PHP script and get my password?

2:34 pm on Sep 12, 2002 (gmt 0)

10+ Year Member



First, I wonder whether there is another way to do what you need to do. If you are trying to give permissions to individuals, you might look into [silkphp.com...] or one of the free groupware php programs if you have access to a database.

You are able to change permissions using an FTP client. An easy solution (example using *nix) is to change the write permissions on your .htaccess file to 775 (owner/group/anyone) and change the group on the .htaccess file to "others". The .htaccess file would then be owned by your login, and group "others".

Another solution is to explore directives that can be given to change the webserver group within the .htaccess file. This can be done depending on the "AllowOverride" status given to the webserver by your provider. see apache.org for details.

3:12 pm on Sep 12, 2002 (gmt 0)

10+ Year Member



Thanks for the reply. How can I change the group of the .htaccess file to others? If I do that won't I give read/write rights to everybody?

Concerning the directives option, I'm not too familiar with Apache directives, so I wouldn't know what to do.

But coming back to my other question, how dangerous is it to put user ID and password in a PHP script?

4:11 pm on Sep 12, 2002 (gmt 0)

10+ Year Member



I still don't know overall what you're trying to do, but unless you have some sort of a) .htaccess protection or b) authentication I wouldn't put passwords in a script or file.

Short of a more sophisticated solution, if you are trying to control access via .htaccess username/ pass, is it possible to change an .htaccess file on your computer and then ftp it to the production server giving it the correct rights?

5:31 pm on Sep 12, 2002 (gmt 0)

10+ Year Member



The idea would be to prevent people from downloading the entire site. When a (bad) bot accesses the PHP script in a directory disallowed in robot.txt, the script gets the IP address of the bot and adds a "deny from IP-address" line to .htaccess.
This can't be done manually - the script has to be able to do everything without human intervention.

Since the PHP script can't modify directly .htaccess, one way of doing this would be via FTP. But I'd have to put password and user ID into the script.

8:59 pm on Sep 12, 2002 (gmt 0)

10+ Year Member



Ok, just wrote the script and it works (appends the deny from line). Now what about security (leaving password and user id in a PHP script)?
9:16 pm on Sep 12, 2002 (gmt 0)

WebmasterWorld Administrator jatar_k is a WebmasterWorld Top Contributor of All Time 10+ Year Member



you could always set the user and pass in a third file and include it in the script. Then put that file below the root level of the site so no one can cet it.

just a file that says
<?
$username = "whatever";
$password = "somepass";
?>

or just put the script below root as well. Or setup some measure in the script itself to make sure it is only called from that one file. There are probably more.

10:21 pm on Sep 12, 2002 (gmt 0)

10+ Year Member



Ok, but how do I put something below root level?
11:17 pm on Sep 12, 2002 (gmt 0)

WebmasterWorld Administrator jatar_k is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Well, you have a directory where the index page for your site is, you need to put it up one level, in the directory above it. It depends on how your host is set up. Most that I have worked with have the option to do this.
10:04 am on Sep 13, 2002 (gmt 0)

10+ Year Member



Well, it just came to my mind that maybe there is another solution. I could set the rights of .htaccess to 666. The .htaccess file contains the following directive:

<Files .htaccess>
order allow,deny
deny from all
</Files>

My questions:
1. In spite of the 666 permissions will other users NOT be able to read/write .htaccess?
2. Will the PHP script be able to modify .htaccess?

2:28 pm on Sep 13, 2002 (gmt 0)

10+ Year Member



Just had another idea. What if I put the file

<?
$username = "whatever";
$password = "somepass";
?>

in a directory which is protected with a deny-from-all .htaccess file? Would the user-id and password be safe (and would the PHP script be able to access this directory)?

5:00 pm on Sep 13, 2002 (gmt 0)

WebmasterWorld Administrator jatar_k is a WebmasterWorld Top Contributor of All Time 10+ Year Member



I must admit that I am not sure if deny from all will allow the script to access the file. I think so but you should just test it and see. You can always change it back.
2:40 am on Sep 14, 2002 (gmt 0)

10+ Year Member



One more question. Since I'm sharing a server with other customers of my provider, couldn't other customers browse through my directories and find the password file?
11:45 am on Sep 14, 2002 (gmt 0)

10+ Year Member



if they could do that they would already know your password etc.
3:14 pm on Sep 14, 2002 (gmt 0)

10+ Year Member



Not sure I quite get what you are doing but why not just redirect the bad bot to a sub directory and deny access to all or whatever. Just seems like if you are reacting on the fly there are other options with out opening a security hole.
4:20 pm on Sep 14, 2002 (gmt 0)

10+ Year Member



It would seem most efficient to immediately ban the IP address of the bad bot. There are other options, but this one seems to be the best one (to me at least).

I'm still undecided whether to set the permissions of .htaccess to 666 or store password and user id on site in a well protected place.

Well, maybe I should simply set .htaccess to 666. The worst that can happen is that somebody changes it to a deny from all, effectively shutting off the site. But if an attacker finds password and user id, he/she can delete everything or upload everything he/she wants.

 

Featured Threads

Hot Threads This Week

Hot Threads This Month