Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:12293
Return-Path: <aqsalter@westnet.com.au>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 28320 invoked by uid 1010); 23 Aug 2004 10:56:12 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 28229 invoked from network); 23 Aug 2004 10:56:12 -0000
Received: from unknown (HELO vscan02.westnet.com.au) (203.10.1.132)
  by pb1.pair.com with SMTP; 23 Aug 2004 10:56:12 -0000
Received: from localhost (localhost.localdomain [127.0.0.1])
	by localhost (Postfix) with ESMTP id 51E29119CE7
	for <internals@lists.php.net>; Mon, 23 Aug 2004 18:56:11 +0800 (WST)
Received: from [192.168.1.100] (dsl-202-72-137-155.wa.westnet.com.au [202.72.137.155])
	by vscan02.westnet.com.au (Postfix) with ESMTP id C228A119E49
	for <internals@lists.php.net>; Mon, 23 Aug 2004 18:56:10 +0800 (WST)
Mime-Version: 1.0 (Apple Message framework v619)
Content-Transfer-Encoding: 7bit
Message-ID: <0ADA645E-F4F3-11D8-AC67-0003939D6C78@westnet.com.au>
Content-Type: text/plain; charset=US-ASCII; format=flowed
To: internals@lists.php.net
Date: Mon, 23 Aug 2004 18:56:10 +0800
X-Mailer: Apple Mail (2.619)
Subject: SQLite security
From: aqsalter@westnet.com.au (Adam Q)

Dear all,
I feel I may have uncovered a potentially large difficulty for the 
adoption of SQLite.

I think encryption for SQLite is essential for PHP. Without it, it 
makes it almost useless in a webscripting language.
Suppose you wanted to create an open source, easily portable, file 
based guestbook in PHP. I would never use SQLLite under the current 
circumstances... Although I would love to. It seems like the perfect 
solution.

The database needs a password.... otherwise it is just too much of a 
security risk.

I would like to use an SQLite DB for the prefs for an open source PHP 
project, but I can't find any way to be sure the DB file is going to be 
secure... Is it possible to password protect a SQLite DB file?

If not, I can't think of one (1) web based application where I would 
recommend SQLite.
Maybe for PHP-GTK, but that is not web based (and PHP is used a great 
deal for web scripting).

With the current setup, if I include a .htaccess for the DB dir, this 
will only work for Apache - not IIS.
I know I can include a warning about how important it is to place the 
files outside the HTTP directory tree and .htaccess files are good, but 
it is just too easy to download an SQLite DB... I can't really see any 
PHP use that would be OK for this really.
if I put the db file "SQLITE.DB" into /www/db
Anybody can d/l it by typing
http://myserver.com/db/SQLITE.DB

I though I might even be able to prevent d/l by naming the DB file with 
a "." at the start but it makes do difference.

... and if the project is open source it is just too much of a security 
risk as everybody knows where the file is going to be on a default 
installation.

Otherwise I'm stuck with the standard PHP prefs file "confing.inc.php" 
(- which is safe from prying eyes):
<?
if (defined("correct_entry_point")) {
my_pref[1] = "lots of good stuff";
}
?>

But updating this on pref changes is no fun compared to SQLite....

Please somebody tell me I'm wrong,
Cheers,
Adam