On my website I have a function where people can sign up for a newsletter by putting in an email address. I take the email address in php, verify it's integrity and then fwrite it to a txt file, e.g. emailaddresses.txt. I noticed that if I browse to www.mywebsite.com/emailaddresses.txt the email addresses can be seen. I setup a htaccess file with Options -indexes in it.
If emailaddresses.txt is an obscure file name, very long and with random characters is that secure for the time being?
You can fwrite it into a location that is not accessible to your web server - that would be more secure
No - you need to categorically prevent your server from serving the file, or even better write it to a location outside of the servers' scope. Your htaccess file is likely to be faulty. You should probably upload the appropriate section to be looked at.
The -indexes just stops the server from listing the files when the user goes to a directory with no index file.
If you want to write to a file make sure it's outside the web root. Then you will be able to access it, but your users will never be able to see it.
if you store such data in a file, put access restrictions into place that deny access to that file for unauthorized users ...
Security by obscurity IS NOT secure.
Place your emailaddresses.txt outside your webroot.
As others have said, write it outside of your webroot (ie not accessible to the public).
Try this: fwrite(fopen('../emaillist.txt', 'a+'), $delimiter . $email); (note the ../ preceding emaillist.txt). This will write the email file ONE directory above your webroot, ie instead of /home/user/public_html/emaillist.txt, it will be located in /home/user/emaillist.txt - which won't be accessible via the web, but you will be able to see it via FTP.