The way I designed the script was so that each time they want to save changes to their htaccess file through the script they have to enter their password. So I never have to actually save the password anywhere in the script.
On Fri, 3 May 2002, Mike Eheler wrote: > The problem is not in them being able to overwrite the .htaccess *and* > getting your FTP password.. those are the cons for both solutions we > have presented, respectfully. > > Right now the ideal solution seems to be this: > > save new .htaccess to a temp file > save new .htpasswd to a temp file > use PHP's FTP routines to connect to the FTP server with your > username/password > delete existing .htaccess > delete existing .htpasswd > upload new .htaccess > upload new .htpasswd > close connection > > The biggest problem with this is that you have your FTP password in > plain text in the script that performs this. If anyone for any reason is > able to take advantage of some kind of exploit that allows them to view > the source of that file, you're toast. They get ahold of your FTP > password and have free reign on your website. > > I'm open to suggestions. > > serj wrote: > > Being that the files are owned by their respective users, I would imagine > > that would make it pretty difficult for the .htaccess file to be > > overwritten, if someone found a way to overwrite the file couldn't that > > person overwrite any file owned by the ftp user anyway? also I don't see > > how someone being able to overwrite the .htaccess file would allow them to > > grab the ftp password, especially if this is all transmitted over ssl. I > > apologize, I'm not trying to start a flame war that I'm sure I'll > > lose. But, I am working on a script that does exactly this and if I'm > > doing it wrong perhaps I should begin recoding it. > > > > josh > > > > On Fri, 3 May 2002, Mike Eheler wrote: > > > > > >>If someone can overwrite your .htaccess there's a chance they can also > >>view files through the same exploit (possibly). They could then get your > >>FTP login info, and do a lot more damage than just removing password > >>access to an area. > >> > >>Mike > >> > >>Serj wrote: > >> > >>>Im not exactly sure why that is worse, could you elaborate a little? > >>>Josh > >>> > >>>On Fri, 3 May 2002, Miguel Cruz wrote: > >>> > >>> > >>> > >>>>Thus leaving the FTP account's password in view of the httpd, which is > >>>>even worse... > >>>> > >>>>miguel > >>>> > >>>>On Fri, 3 May 2002, serj wrote: > >>>> > >>>> > >>>>>You could use fopen() to connect to the file via ftp therefore keeping > >>>>>the .htaccess file owned by the user for increased security. > >>>>> > >>>>>Josh Boughner > >>>>> > >>>>>On Fri, 3 May 2002, Mike Eheler wrote: > >>>>> > >>>>> > >>>>> > >>>>>>It's possible, but is it really recommended? Wouldn't the > >>>>>>.htaccess/.htpasswd file have to be owned by the apache user, which > >>>>>>might leave it open to being overwritten by any kind of a > >>>>>>weak/exploitable script? > >>>>>> > >>>>>>Mike > >>>>>> > >>>>>>Josh & Valerie McCormack wrote: > >>>>>> > >>>>>> > >>>>>>>I've used the script phtaccess, which I think used the mentioned class. > >>>>>>>Super easy to use. > >>>>>>> > >>>>>>>Josh > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>>On Wed, 1 May 2002, Kelly Meeks wrote: > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>Is is possible to use php to admin a password file used by a > >>>>>>>>>>.htaccess file? > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>> You should check the File_Passwd class from PEAR. > >>>>>>>> > >>>>>>>> http://chora.php.net/cvs.php/php4/pear/File > >>>>>>>> > >>>>>>>>-- > >>>>>>>>Mika Tuupola http://www.appelsiini.net/~tuupola/ > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>> > >>>>>>-- > >>>>>>PHP General Mailing List (http://www.php.net/) > >>>>>>To unsubscribe, visit: http://www.php.net/unsub.php > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>> > >>>>-- > >>>>PHP General Mailing List (http://www.php.net/) > >>>>To unsubscribe, visit: http://www.php.net/unsub.php > >>>> > >>>> > >>>> > >>>> > >> > >> > >>-- > >>PHP General Mailing List (http://www.php.net/) > >>To unsubscribe, visit: http://www.php.net/unsub.php > >> > >> > >> > > > > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
