I am making an easy-to-setup, no-database PHP website which stores its data instead in text files.
The setup is a Linux/Apache/PHP server.
Up to now the information has been non-sensitive, so I store in: ../data/system.txt
Theoretically someone could type (url)/data/system.txt
in their browser and see the data file in plain text, which didn't matter up to now.
But now I want to store passwords so various groups can log in and see different information. These sites will be "low interest" and "low profile" sites and if someone is bored enough to hack the site and sees the information, it's not the end of the world, I just want to provide a modicum of technical hurdles so that the site can have individual and group access rights while retaining the ease of creating e.g. 50 of these sites without having to set up and maintain 50 databases.
My question is, what is the best way to protect these text files on Apache?
I can think of the following:
1) change the "../data
" directory to some random directory name, e.g. "../data928374928374
" as a kind of obfuscating measure
2) change the .txt file to .php and protect the text with PHP code like this:
<?php
echo 'access denied';
die;
/*
...store data here...
*/
?>
3) put this .htaccess file in the /data directory to protect files with .txt and other endings:
<FilesMatch "\.(sqlite|xml|txt|csv|php)$">
Deny from all
</FilesMatch>
Here are my thoughts on these:
1) I could imagine there are ways to find out names of hidden directories on servers like this, is that true?
2) It is awkward to have a text file named .php and have PHP code in them since I want non-tech people to be able to edit the text files and just drop them as-is in the data directory and have them work, without having to "edify them with technical code". Not to mention this messes up the syntax-coloring in most editors.
3) Will this .htaccess file work on ALL servers> e.g. if I just copy the website as is to any Apache server, am I guaranteed that the files will be protected, or there other settings which can turn off the effect of .htaccess files on Apache servers?