How can I deny from all directories, but still access the files with scripts like PHP?_问答_开发者

I'm trying to figure out how I can deny users from looking at a text file but 开发者_如何学Cstill access the file (read) with PHP? Is there a way to do this with htaccess? EDIT: New to file security, I'm up for trying anything new!

You can do this easily by putting a .htaccess file in the folder you want to block. This contents of the .htaccess being deny from all. Then your web server won't serve up the pages, but you can still access them with fopen, file_get_contents ect.

No need to use htaccess for this: just start the file name with a dot and apache will automatically ignore it by default. I use this trick to hide entire directories of php code.

For example in Vbulletin I use a simple .htaccess to protect the includes folder from having the config.php readable. You can make a .htaccess file in the directories you want protected with the following:

<Files *.php>
order deny,allow
deny from all
</Files>

Not sure if wildcard works, in my case I used

<Files config.php>
order deny,allow
deny from all
</Files>

Best of luck!

Good question and there are a number of relatively simple things you can do.

For instance, you could store a text file below your public directory.

public directory would be something like:

/home/site_folder/public_html/

below public would be something like:

/home/site_folder/key/

For instance a file called "key.ini" stored below public in the sub key folder with the following contents:

[key]
name="enter a name here"
text="enter random text here"

This you can call using:

$ini_file = "path_to_file/key.ini"; // i.e. /home/site_folder/key/key.ini
$ini_array = parse_ini_file($ini_file);
$name = $ini_array['name'];
$text = $ini_array['text'];

But then an .ini file is not a text. If your text file was below public, it would be secure from reading via a url in the same way as the above ini file and you can read it quite easily, assuming a "password.txt" file, like so:

$fh = fopen(password.txt,'r'); 
$password = fread($fh,100);
fclose($fh);

If you wish to secure the contents of the file you could use a simple Asynchronous method such as this to encrypt the data at the same time using the key.ini file above as the cipher key:

function getAesKey() {
    if ( file_exists(key.ini) ) {
        $args = parse_ini_file(key.ini);
        if ( isset($args['name']) AND isset($args['text']) ) {
            return md5( $args['name'].$args['text'] );
        }
    }
}

function encrypt_data($data) {
    //AES256 symetric encryption
    $key = getAesKey();
    if(32 !== strlen($key)) $key = hash('SHA256', $key, true);
    $padding = 16 - (strlen($data) % 16);
    $data .= str_repeat(chr($padding), $padding);
    return mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $data, MCRYPT_MODE_CBC, str_repeat("\0", 16));
}

NOTE, once the file is created, you may wish to change its permissions to read only.

So something like this would create the file and add encrypted contents:

    $fh = fopen(password.txt, "w");  //Open for writing
    fwrite($fh, encrypt_data("My very secure password"));
    fclose($fp);

The function to decrypt the content:

function decrypt_data($data) {
$key = getAesKey();
if(32 !== strlen($key)) $key = hash('SHA256', $key, true);
$data = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $data, MCRYPT_MODE_CBC, str_repeat("\0", 16));
$padding = ord($data[strlen($data) - 1]);
return substr($data, 0, -$padding);
}

You could add a further function to return the actual content for you rather than writing all the code out each time:

function getPassword() {
$fh = fopen(password.txt, 'r');
$password = fread($fh,100);
fclose($fh);
return decrypt_data($password);
}

Which means you call it like this:

$password = getPassword();

Contents of your password file, if it were accessed, would look something like this:

v?��cr���bV��@

With the file below public, no one is going to be able to navigate to the file like: www.yoursite.com/text_file.txt to view it. And if they do somehow get access to your server and find the password file: they wont be able to decipher the encrypted content without the key. But they would likely just output the content using your function.

I usually have my encryption class file and the key.ini in one of the include directories so not available in the current hosting account path. To access this you would need root access to the server. This way, if someone has a copy of all your code, they wont be able to unlock the file without the key file.