SQLite security is based primarily on filesystem security, placing the
database outside the web root (i.e. /home/user/private/SQLITE.db instead of
/home/www/SQLITE.db) and including an option in your base configuration or
include file to point to the database file.

You can use Mcrypt, OpenSSL or any other crypographic provider to encrypt
the information however for your application to be able to access the
information you would also have to store the encryption key, reducing the
protection offered.

If I were you I'd follow the first approach, in my opinion the second
approach's overhead does not justify the minimal security gained.

SQLite is intended for applications that need a database but don't need a
full fledged solution such as PostgreSQL.

Remember regardless of the database you use if you are using a shared
hosting provider it is possible othere hosting clients will be able to
access your database regardless of the engine you use.


-----Original Message-----
From: Adam Q [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 16, 2004 7:34 AM
Subject: [PHP-DB] SQLite security

I would like to use an SQLite DB for the prefs for an open source PHP
project, but I can't find any way to be sure the DB file is going to be
secure... Is it possible to encrypt a SQLite DB file?

With the current setup, if I include a .htaccess for the DB dir, this will
only work for Apache - not IIS.
I know I can include a warning about how important it is to place the files
outside the HTTP directory tree and .htaccess files are good, but it is just
too easy to download an SQLite DB... I can't really see any PHP use that
would be OK for this really.
if I put the db file "SQLITE.DB" into /www/db Anybody can d/l it by typing

I though I might even be able to prevent d/l by naming the DB file with a
"." at the start but it makes do difference.

... and if the project is open source it is just too much of a security risk
as everybody knows where the file is going to be on a default installation.

Otherwise I'm stuck with the standard PHP prefs file "confing.inc.php" 
(- which is safe from prying eyes):
if (defined("correct_entry_point")) {
my_pref[1] = "lots of good stuff";

But updating this on pref changes is no fun compared to SQLite....


Please somebody tell me I'm wrong,

PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit:

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to