File permissions on Shared hosts

Question

I've written a script which takes the summary of an order and stores in into an XML file, except the problem is that I don't want people to be able to open the XML file in their browser, obviously.

I'm hosted on a very dodgy shared server with limited abilities: no SSH, for starters.

Is there a place I can put this file so that PHP will still be able to read/write to it, but web browsers won't be able to get to it?

Ordinarily, I'd create a folder outside the document root and put it there, but I get a "Permission denied" message when I try that.

The folders which are there are:

• anon_ftp
• bin
• cert
• cgi-bin
• conf
• error_docs
• etc
• httpdocs
• httpsdocs
• pd
• private
• statistics
• subdomains
• web_users

PHP can't access the file when it's in the private folder. Would this be possible using .htaccess?

Answer 1

I worked around it by putting the XML file in my httpdocs folder, but added a .htaccess file with this in it:

<Files ~ "myfile.xml">
    Order allow,deny
    Deny from all
</Files>

Answer 2

Couldn't you ask the shared-hosting provider to create an outside-web-root folder for you? I've certainly done this in the past.

Answer 3

You could create a directory containing a .htaccess file that looks something like the following:

Deny from all

This will instruct Apache not to serve files from that directory; any attempts to access the directory or its contents will be met with a "403 Forbidden" response from the server.

Note: This depends upon the host not having removed Limit from the list of options in their AllowOverride directive; most shared hosts shouldn't have a reason to do this.