Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:12304
Return-Path: <ilia@prohost.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 31392 invoked by uid 1010); 23 Aug 2004 14:16:52 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 31356 invoked from network); 23 Aug 2004 14:16:52 -0000
Received: from unknown (HELO asuka.prohost.org) (69.196.31.138)
  by pb1.pair.com with SMTP; 23 Aug 2004 14:16:52 -0000
Received: (qmail 24311 invoked from network); 23 Aug 2004 14:16:51 -0000
Received: from rei.nerv (HELO dummy.com) (rei@192.168.1.1)
  by asuka.nerv with SMTP; 23 Aug 2004 14:16:51 -0000
Reply-To: ilia@prohost.org
To: internals@lists.php.net,
 Adam Q <aqsalter@westnet.com.au>
Date: Mon, 23 Aug 2004 10:16:50 -0400
User-Agent: KMail/1.6.1
References: <0ADA645E-F4F3-11D8-AC67-0003939D6C78@westnet.com.au> <smaexa4e.fsf@random.internal> <B7C319CE-F50B-11D8-8B89-0003939D6C78@westnet.com.au>
In-Reply-To: <B7C319CE-F50B-11D8-8B89-0003939D6C78@westnet.com.au>
Organization: Prohost.org
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <200408231016.54155.ilia@prohost.org>
Subject: Re: [PHP-DEV] SQLite security
From: ilia@prohost.org (Ilia Alshanetsky)

Here is the simple truth, if you are using a shared hosting solution that is 
not VPS (Virtual Private Server) it would be relatively trivial for other 
users of the system to access any file that the webserver has access to. Now, 
because webserver will need access privileges to various PHP configuration 
file that means that those users can read then and consequently grab your 
passwords.

The only exception to this rule being if PHP is used as CGI or a separate 
Apache process is running for each user. In this case given proper file 
permissions (Ex. 0600) it would be nearly impossible for other users of the 
system to read yourfiles without 1st gaining root access on the machine.

An Sqlite database is nothing more then a binary file, and you should treat it 
such. If you do not want to have people being able to download it, do not put 
it inside a web accessible directory.

Another trick you can do is to give your sqlite database a .php extension and 
create a table that would cause PHP to generate a parse error when trying to 
send the database to the user.
Ex. create table '<?php' (a);

This will make it impossible for people to download the data inside your 
database.

Ilia