Home/ Questions/Q 7614861
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T02:30:40+00:00

Before I begin, I must warn you that I’m not much of a web

  • 0

Before I begin, I must warn you that I’m not much of a web programmer so my methods may seem somewhat roundabout and the terminology I use may be awkward.

Here’s the situation. I’m developing a website for users to visualize data.

I have a public php page sitting in /var/www/thepage/index.php path (yes, Linux server + apache). This is the main page of the site and is also where users make selections in a form.

Upon form submission, a second php page will be called and this is where the form selections from the first php page are passed to the javascript that creates the visualization. In order for that to happen, csv files are first written into this directory using a php script that queries from a MySQL database.

Thing is, I want users to be able to see the visualizations but not be able to download the csv files (unless they are admin). How I allow admin to download the files is to create a protected (.htaccess) subdirectory /var/www/thepage/secure/ which has an index html that runs a cgi script once an admin logs in (prompted when a download link is clicked). This script copies the latest files (with dynamic names) from the /var/www/thepage/ directory and moves them to the secure/ directory with static filenames. Download links pointing to these files with static names are on the protected index.html. However, if a user looks at the source code of the 2nd php page, they can also download the files as they know the paths and they are not protected.

If remove file permissions, the php script won’t be able to read the files either, causing the visualization to fail (I want normal users to be able to see the visualizations). It is also important to have the files because I have a cgi script (bash + awk) running a mathematical function on the files which also requires permission

Obscuring the filenames doesn’t really work either since the files are written on the fly and the source code of the html page will reveal the obscured csv filenames being written.

How can I get around this problem? I would prefer not to have to create sessions and log-ins for normal users, etc…

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    As previously said, it’s hard to hide anything on the net, especially if you need to send it to javascript. You could try hacking it a bit, could cost you a bit of performance, but would be a deterrent against people who aren’t web savvy… But could also be seen as a challenge by others 🙂

    A rough example would be something like..

    $csv = fgetcsv("/var/www/thepage/secure/file.csv");

echo "<script type'text/javascript'>";
echo json_encode($csv);
echo "</script>";

    Bit rusty here, but javascript should interpret the json as an object, that you can use in your code. You could go a step further and break the php array into sections before sending it off, making it harder to know what’s going on.

    Like I said. It’s rough, but it could be a solution.

    • 0