hey all, i need help with securing customer data on a server via php each customer has his/her own folder that contains his/her data and i want to make sure that only that customer can access that data currently i am using a membership program to manage all this but i want to offer more ... specifically: 1. when they log in, their data folder and data files have their permission changed to allow them to make changes ... and when they log out, the permissions set to a secure level 2. i want to encrypt their data file (which will get decrypted when they log in) could you point me to the right php commands to do that, please? i tried 1. once with another membership site and got nowhere ... i kept getting an error every time i used 'chmod' thanks in advance serge SEO Resources Target the right Keywords FREE SEO Report

That sounds a little over the top to me. Changing read/write permissions of files dynamically doesn't accomplish much, IMHO. I'd suggest puttng the files in a directory outside of the public folder where they are only accessible through scripts. That way they cannot (through the web) access the files without properly logging in - assuming there are no holes. Your biggest threat would be from someone gaining access at the server level, which is why using chmod is pointless, IMHO. So, encryption is an option. The problem, however, is that if someone already has access to the files directly, they would have access to the PHP files as well - which would identify how the files were encrypted. You would want to use a key for the encryption that the hacker would not have access to. Assuming you have the user's passwords MD5 hashed (or something similar) you could use a combination of that hash + the actual passowrd to encrypt/decrypt the files. You would have to make sure if you allow the user's to change their passwords that take care to do everything properly so they aren't locked out. Also, encrypting/decrypting can be CPU intensive so it could introduce a time barrier for your clients. I would only decrypt when they request a file - not decrypt all when they login. I don't like to recommend alternate forums when I'm posting on one, but I think you would get a much better wealth of knowledge by asking this question on phpfreaks.com. Michael J

thanks michael ... will check out the suggested forum and the idea of storing it in a non public folder and the md5 idea serge SEO Resources Target the right Keywords FREE SEO Report

The MD5 "idea" was ONLY in reference to the user's password. MD5 is a hashing method not an encryption method. It is a one way conversion, if you were to hash the user's data using MD5 it would be lost forever. Michael J

i am still getting to terms with encryption with php and especially the use of the term hash ... i think i understand now ... thanks again serge SEO Resource FREE Keyword Report from Meta Keywords Advice

Changing the file permissions upon a login and re-securing them when they log out isn't the best way to go about it. That would mean that a user's files are vulnerable to attack once the user has logged in. And what if they don't log out? A timer of some sort would have to be created to keep re-secure the files after a certain time. But I still wouldn't recommend it. I wouldn't recommend using a file system at all to store user accounts but it is possible. I would much rather use a database. But if the facility to do that isn't available to you, then the file system would work. You should use a file permission of 600 to only allow an owner read or write, the files will only be accessed by scripts that way. A simple way of doing it would be to read each line of a file into an array with the file() function (check out php.net) and edit them based on array indexes. :) Well that's my two cents. Good luck. :)

thanks for your thoughts taurus ... my idea with chmod was to change file permissions when the data is read/saved and then set them back to secure mode straight away ... this way the file would be 'vulnerable' only for the amount of time it takes for the file to be read/saved cheers serge SEO Resources Target the right Keywords FREE SEO Report