How secure is storing sensitive information in a .PHP file on an Apache server?

Question

I am making an easy-to-setup, no-database PHP website which stores its data instead in text files.

The setup is a Linux/Apache/PHP server.

Up to now the information has been non-sensitive, so I store in: ../data/system.txt Theoretically someone could type (url)/data/system.txt in their browser and see the data file in plain text, which didn't matter up to now.

But now I want to store passwords so various groups can log in and see different information. These sites will be "low interest" and "low profile" sites and if someone is bored enough to hack the site and sees the information, it's not the end of the world, I just want to provide a modicum of technical hurdles so that the site can have individual and group access rights while retaining the ease of creating e.g. 50 of these sites without having to set up and maintain 50 databases.

My question is, what is the best way to protect these text files on Apache?

I can think of the following:

1) change the "../data" directory to some random directory name, e.g. "../data928374928374" as a kind of obfuscating measure

2) change the .txt file to .php and protect the text with PHP code like this:

<?php
echo 'access denied';
die;
/*
...store data here...
*/
?>

3) put this .htaccess file in the /data directory to protect files with .txt and other endings:

<FilesMatch "\.(sqlite|xml|txt|csv|php)$">
Deny from all
</FilesMatch>

Here are my thoughts on these:

1) I could imagine there are ways to find out names of hidden directories on servers like this, is that true?

2) It is awkward to have a text file named .php and have PHP code in them since I want non-tech people to be able to edit the text files and just drop them as-is in the data directory and have them work, without having to "edify them with technical code". Not to mention this messes up the syntax-coloring in most editors.

3) Will this .htaccess file work on ALL servers> e.g. if I just copy the website as is to any Apache server, am I guaranteed that the files will be protected, or there other settings which can turn off the effect of .htaccess files on Apache servers?

Answer 1

Store files containing anything sensitive outside of the htdocs tree?

Answer 2

1. This would require bruteforce check but yeah.
2. True, it complicates things for non-tech people. Plus i'd imagine you might not be do everything you want.
3. .htaccess rules will work only for Apache server where the directory is allowed to use htaccess rules (and allows overriding of parameters, if that is required). Also note that on some configuration the file might not be called .htaccess but something else.

You could also probably use SQLite or something similar that does not actually require a database server.

Another idea is to have a structure like

/app
   /public_html
   /data

and have public_html contain your website that is exposed to outside world and /data be not accessible (only by your scripts).

In /app folder you can create a htaccess rule that will always redirect all requiests to punlic_html folder so it will not be visible to outside user (it's possible to do that behind the scenes). And if both folders are copies over including .htaccess file, this should be enough for one-step deployment

Answer 3

If it's a PHP only read file, then it's pretty easy if you got a good host.

Most of the time, your web root isn't the server's one.

For example, on my host, the path to the web directory is /data/domain/www/ which is the path to http://www.domain.com/ in a browser.

But I can create a folder below that level, for example, /data/domain/secret_folder/ which can't be reached by a browser but can be read by PHP if it's on the same server thanks to fopen