0

I'm creating a website. The username/password to open the MySQL database is stored in a text file. I'm preventing that text file from being displayed by putting a htaccess file and htpasswd file in the same folder as the text file, which is where all the programs are. It works when I try to URL to the text file, a popup box asks for username/password authentication instead of just displaying it on screen.

But when I use a windows command prompt it still lists all the files in the folder and allows me to open the text file and see the info. How do I stop this?

My htaccess file has this code:

ErrorDocument 401 default
<FilesMatch "login.txt">
AuthName "Member Only"
AuthType Basic
AuthUserFile .htpasswd
require valid-user
</FilesMatch>

# Hide files of type .txt, .php from listing
IndexIgnore *.txt *.php
Ken
  • 139
  • 12
  • Are you really asking why the CMD prompt with native FS access isn't honring Apache/.htaccess settings? – mario Jul 04 '19 at 16:35
  • I'm voting to close this question as off-topic because not about programming, but too inconcrete for Supi User. – mario Jul 04 '19 at 16:39
  • Well, I thought the code as shown in the htaccess file would prevent listing of the directory. Wondering if the code is wrong. Also, not sure why this is off-topic, it seems programming related like a lot of other questions. – Ken Jul 04 '19 at 16:44
  • But it's not really code. It's a configuration file. And it's unclear why you thought it applies to anything else but the HTTP server. – mario Jul 04 '19 at 16:47
  • 1
    Please do a little more research about the web server and how it works. It does not control the machine. Your OS is running the web server and on command line you are dealing with OS not Web Server. You need to figure out how to protect (or hide) files and folders. – Navid Jul 04 '19 at 16:49
  • To NMoeini. Yes, you're right, I forgot about that. So a user would not be able to use a command prompt to list my files, the way that I can on my localhost. So would you say that my code is enough to prevent anyone from listing the contents of the text file? – Ken Jul 04 '19 at 17:03
  • 1
    Do not store such data in a `.txt` file. Imagine your .htaccess getting overwritten by accident, then it would show the full directory contents, and all I’d have to do is click on the link to your text file, and I would have your database credentials. Store them in a PHP file, as regular variables. Even if I manage to request that script via HTTP, I won’t _see_ anything in that case. – misorude Jul 05 '19 at 07:33
  • To misorude: Thanks. – Ken Jul 06 '19 at 17:22

0 Answers0