Forum Moderators: mack
I have a PHP login script that works fine, and uses separate users.dat and log.dat files that are in plain text format (the passwords are md5 encoded). I don't want these to be at the document root level or below, and according to what I've seen written, it would be correct to place them one directory up from the www root.
My web host file structure is as follows:
/home/myname/mainwebsite_cgi -> ../../var/www/cgi-bin
..................../mainwebsite_html -> ../../var/www/html
..................../mainwebsite_perl -> ../../var/www/perl
where all the mainwebsite directories above are symbolic links to /var/www/html
..................................................................................................../perl
..................................................................................................../cgi-bin
I can't create folders under the /var structure at all (probably wise), but can under the /home/myname structure.
The problem that I have is, how does my PHP login script (www.mysite.com/html/login.php) refer back to the users.dat file (/home/myname/user_data/users.dat)?
In other words, how do I get my Login.php script under the publlic access www domain to read and write to the users.dat and log.dat under my host home directory structure...
I've tried absolute server referencing (/home/myname/user_data/users.dat), relative referencing (but that just ends up traversing the /var directory due to the symbolic links), and of course, domain referencing is no good as it's outside the document root.
I've seen loads of references to protecting sensitive files by placing them one step back from the document root, but no explanation of how to refer to them.
I hope someone can make some sense of the above...
Thanks.
There are probably clever ways to do it - but this works for me.
I've tried to create a directory there, but I don't have the necessary permissions. It appears the web host has restricted abilities to create anything to my /home structure and anything under the html, cgi-bin and perl directories in /var/www (sensible probably :-).
Consider the new dir location from the point of view of the web directory. I.E. if the new dir is on the same level as www then referring to it is as simple as ../newdir/filename.ext? This is how I work with a similar structure on a few of my websites.
If you're looking for an absolute path then you'll need to work with the symbolic link structure. Create the directory and then figure out the equivalent symbolic link and use that.
So you're not allowed to create anything outside of the webroot correct?
Effectively this means that the files must reside somewhere under /home, but how can I refer to that from the web root structure (or can I even do that)?
The symbolic links are under root ownership, but everyting else is mine...
The web root is actually /var/www/html.
My home directory is /home.
There are 3 symbolic links in my home directory to /var/www/html, /var/www/cgi-bin and /var/www/perl.
I can create anything under /home and within any of the 3 symbolically linked directories above, but nothing anywhere else.
I appreciate your help (and patience) - as you may have guessed, I'm quite new to web building (but I'm an adequate C++ programmer :-).
I am the admin of the site, so I guess the host must have it locked down?
I've just looked at the permissions of the www directory and it's owned by root...
Firstly, Welcome to WebmasterWorld [webmasterworld.com]!
Have you got command line access to the server, either Telnet or SSH?
and if so, can you not do a 'chown' on the folder to your user.
Have you also tried putting
<?
phpinfo();
?>
wruk999
[edited by: wruk999 at 6:15 pm (utc) on April 14, 2003]
If you are using SSH then you will most likely be logging in as root? hence you will be creating dir's and they will be owned by root.
wruk999
I've logged in and tried to chown 'www', but I'm not permitted.
If I do 'id -un' it tells me that I'm logged in as 'blackcat' (my user name).
I think a mail to my host may be in order...
Thanks guys :-)
I think lorax meant that you could control access to the file directory...not as an actual user control system.
You could protect the text files by only allowing the server to access the directory with the files in.
Regards,
wruk999
That's correct. :)
Ah, I see what you mean about the directory access using .htaccess - I'll read it properly next time ;-)
I'll see what the host replies with, it may well come to that yet...
I've read about allowing only server access Wruk999, but I've no idea how to go about it :-/
Maybe it is something along the lines of restricting all access except from your servers IP.
Or the service name of your web server: wwwrun.nobody (as an exmaple)
Lorax, can you advise on this?
wruk999
AuthName "Some Name"
AuthType BasicAuthUserFile /dev/null
Require valid-user
This will not allow anyone to access the dir using HTTP(s) since there is no uname/pwd access file for it to use but it should allow your script to request a file within the dir.
It should be noted that this is not guaranteed secure. But it's better than nothing.
lorax, the .htaccess example prevented www access to the files, but unfortunately also prevented browser access. I would have perservered, but then I tried wruk999's suggestion of the phpinfo() page...
I created the page, accessed it, downloaded it and then deleted it from the server. It revealed the internal /root path for me and it works a treat :-)
I couldn't have guessed it in a month of Sundays though!
Anyway, thanks for the perserverence guys, it's all working now :-)
Regards,
wruk999
That's correct. That's what it was designed to do. BUT your script should have been able to access anyfiles within that directory. Hopefully you didn't place the .htaccess file in the webroot as it is designed to be placed within a directory that only contains the files you want a script to access.
As long as you have a working solution - that's what matters.
