Welcome to WebmasterWorld Guest from 188.8.131.52
deny from all
I tried setting .htaccess to 666 then typed www.mydomain.com/.htaccess in the browser and got 'permission denied'. I even tried removing the deny from all directive and I still couldn't read .htaccess with a browser. Does this mean that .htaccess would be safe with permissions set to 666 and the deny from all directive?
The first is probably prohibited in the server configuration. It's pretty common for people to put something in apache configuration files to prohibit from serving any file that starts with ".ht". In fact, I think that's default in a lot of setups. That may be why you can't pull the page even when you don't specifically deny it in your .htaccess. I think you're alright here.
The other kind of security needs a little work. I recommend a permission setting of 644 on your .htacess. The first digit is for permissions of the owner of the file. 6 is 4+2. The 4 is for reading, and the 2 is for writing. (and the 1 that's not there is for executing). the second digit is for people in the group that owns the file. You may as well give this 4 for read access. The third digit is for all others. You need to give this a 4 so that the user that runs the webserver process (probably 'nobody')can read the file in order to determine what special stuff you're doing in it.
That's a pretty quick summary, but you can search google for more on unix file permissions and use of chmod.
There was a nice article [heise.de] about this in the German computer magazine c't. So if you took German in High School now is a good time to refresh your knowledge.
Coming back to my problem, I need to write a PHP script which adds a 'deny from IP-address' line to .htaccess when called. The idea is to prevent people from downloading my entire site.
How to do all this when PHP is installed as 'others' on my provider's server?
There seem to be only two options:
1. set the permissions of .htaccess to 666 (and then according to the article somebody could modify my .htaccess)
2. let the PHP script connect in FTP mode with user-id and password (and store user-id and password in the script). In this case somebody who gets the script's code also gets my user Id and password.
What is the lesser evil? Having somebody mess up my .htaccess or having somebody get my user-id or password?