Dear all,
I feel I may have uncovered a potentially large difficulty for the
adoption of SQLite.
I think encryption for SQLite is essential for PHP. Without it, it
makes it almost useless in a webscripting language.
Suppose you wanted to create an open source, easily portable, file
based guestbook in PHP. I would never use SQLLite under the current
circumstances... Although I would love to. It seems like the perfect
solution.
The database needs a password.... otherwise it is just too much of a
security risk.
I would like to use an SQLite DB for the prefs for an open source PHP
project, but I can't find any way to be sure the DB file is going to be
secure... Is it possible to password protect a SQLite DB file?
If not, I can't think of one (1) web based application where I would
recommend SQLite.
Maybe for PHP-GTK, but that is not web based (and PHP is used a great
deal for web scripting).
With the current setup, if I include a .htaccess for the DB dir, this
will only work for Apache - not IIS.
I know I can include a warning about how important it is to place the
files outside the HTTP directory tree and .htaccess files are good, but
it is just too easy to download an SQLite DB... I can't really see any
PHP use that would be OK for this really.
if I put the db file "SQLITE.DB" into /www/db
Anybody can d/l it by typing
http://myserver.com/db/SQLITE.DB
I though I might even be able to prevent d/l by naming the DB file with
a "." at the start but it makes do difference.
... and if the project is open source it is just too much of a security
risk as everybody knows where the file is going to be on a default
installation.
Otherwise I'm stuck with the standard PHP prefs file "confing.inc.php"
(- which is safe from prying eyes):
<?
if (defined("correct_entry_point")) {
my_pref[1] = "lots of good stuff";
}
?>
But updating this on pref changes is no fun compared to SQLite....
Please somebody tell me I'm wrong,
Cheers,
Adam
At 13:56 23/08/2004, Adam Q wrote:
Dear all,
I feel I may have uncovered a potentially large difficulty for the
adoption of SQLite.I think encryption for SQLite is essential for PHP. Without it, it makes
it almost useless in a webscripting language.
Why is that? You would have to gain file-level access on the server in
order to read any data. With properly set permissions and reasonable
security, that shouldn't be possible.
I think that most database setups in general don't keep their information
encrypted, and the reasons they use username/password pairs is mainly
because (a) they're designed to serve multiple users (at the OS level) on
the same machine, and (b) they're designed to be accessed over the network.
Do you have some specific concern in mind?
Zeev
Adam Q aqsalter@westnet.com.au writes:
I think encryption for SQLite is essential for PHP. Without it, it makes it
almost useless in a webscripting language. Suppose you wanted to create an
open source, easily portable, file based guestbook in PHP. I would never use
SQLLite under the current circumstances... Although I would love to. It
seems like the perfect solution.The database needs a password.... otherwise it is just too much of a
security risk.
Others have commented on where the database should (or shouldn't) be located
to avoid these problems. If the server environment is so inadequately
maintained as to put database files in locations where they might be
downloaded, then I would contend that it would not be a difficult job to
manage to download the PHP or other data file which contains the username
and/or password that would be used to access the database. If the database is
encrypted, there must be authentication information available to the script
that's going to access the database. That's just as insecure.
If you really want an SQLite dataabase to be encrypted, the author of SQLite,
D. Richard Hipp, has a non-free (one-time royalty, I believe) enhancement to
add that feature. You can find his email address at the sqlite site,
http://www.sqlite.org
Derrell
Adam Q aqsalter@westnet.com.au writes:
I think encryption for SQLite is essential for PHP. Without it, it
makes it
almost useless in a webscripting language. Suppose you wanted to
create an
open source, easily portable, file based guestbook in PHP. I would
never use
SQLLite under the current circumstances... Although I would love to.
It
seems like the perfect solution.The database needs a password.... otherwise it is just too much of a
security risk.Others have commented on where the database should (or shouldn't) be
located
to avoid these problems. If the server environment is so inadequately
maintained as to put database files in locations where they might be
downloaded, then I would contend that it would not be a difficult job
to
manage to download the PHP or other data file which contains the
username
I can see I've touched a nerve here.
Has nobody d/l PHPNuke, PostNuke, phpMyAdmin, Mambo... On and on the
list goes on?
They all put their DB access data in a file called "config.inc.php" (or
something like that). (ie database passwords and general config data)
But they protect it by including something along these lines:
<?
//config.inc.php
if (defined("correct_entry_point")) {
my_pref[1] = "lots of good stuff";
}
?>
so even if you know where this file is in your web tree e.g.
http://www.example.com/db_admin/config.inc.php
all you get when you put it into a web broswer is a blank page.
Is this insecure? Please don't give me a flat yes.
The answer lies behind a thousand veils of shade.
phpMyAdmin consistently is in the top 10 projects on sourceforge. Is
this method insecure? (yes, they drone) Then why do the phpMyAdmin
developers go ahead with it? Because it works. Simple.
PHPNuke has a community in the hundreds of thousands. Is this method
insecure? (yes, yes, yes)
PostNuke ditto? (yes, yes, yes)
Mambo too? (yes, yes, yes)
I've forgotten because there are so many out there on hotscripts.com?
(yes, yes, yes)
And finally, imagine if I used an SQLite DB to store this data... But
we've been there before.
Thank you for the information regarding the encryption. I don't have
the knowledge or skills to include this into PHP 5, but I appreciate
the information - for one thing it means I'm not going crazy, other
people have had the same idea.
Adam
Here is the simple truth, if you are using a shared hosting solution that is
not VPS (Virtual Private Server) it would be relatively trivial for other
users of the system to access any file that the webserver has access to. Now,
because webserver will need access privileges to various PHP configuration
file that means that those users can read then and consequently grab your
passwords.
The only exception to this rule being if PHP is used as CGI or a separate
Apache process is running for each user. In this case given proper file
permissions (Ex. 0600) it would be nearly impossible for other users of the
system to read yourfiles without 1st gaining root access on the machine.
An Sqlite database is nothing more then a binary file, and you should treat it
such. If you do not want to have people being able to download it, do not put
it inside a web accessible directory.
Another trick you can do is to give your sqlite database a .php extension and
create a table that would cause PHP to generate a parse error when trying to
send the database to the user.
Ex. create table '<?php' (a);
This will make it impossible for people to download the data inside your
database.
Ilia
Ilia Alshanetsky wrote:
An Sqlite database is nothing more then a binary file, and you should treat it
such. If you do not want to have people being able to download it, do not put
it inside a web accessible directory.
Or, don't forget the existance of .htaccess files. Want to block sqlite
files by default with an application you distribute, and you don't know
where the user will drop the files? Put one of these in the root of
your application in a .htaccess file:
<files *.sqlite>
order deny,allow
deny from all
</files>
Either way, I don't see how this is a PHP or sqlite issue of any kind.
Server security through file restriction is a problem with many
solutions that are beyond the scope of this mailing list, IMO.
--
Shaun M. Thomas INN Database Administrator
Phone: (309) 743-0812 Fax : (309) 743-0830
Email: sthomas@townnews.com Web : www.townnews.com
There are a lot of ways being a stupid programmer can give you an
insecure website. Saying that just because someone is too stupid to
properly lock down their data store (put outside the web root, run PHP
with proper perms, etc.), makes PHP/SQLite themselves insecure, is like
putting coffee on your lap, driving and blaming McDonalds for your burns.
- eval($_POST['sterling']);
Adam Q wrote:
Adam Q aqsalter@westnet.com.au writes:
I think encryption for SQLite is essential for PHP. Without it, it
makes it
almost useless in a webscripting language. Suppose you wanted to
create an
open source, easily portable, file based guestbook in PHP. I would
never use
SQLLite under the current circumstances... Although I would love to. It
seems like the perfect solution.The database needs a password.... otherwise it is just too much of a
security risk.Others have commented on where the database should (or shouldn't) be
located
to avoid these problems. If the server environment is so inadequately
maintained as to put database files in locations where they might be
downloaded, then I would contend that it would not be a difficult job to
manage to download the PHP or other data file which contains the
usernameI can see I've touched a nerve here.
Has nobody d/l PHPNuke, PostNuke, phpMyAdmin, Mambo... On and on the
list goes on?
They all put their DB access data in a file called "config.inc.php"
(or something like that). (ie database passwords and general config data)
But they protect it by including something along these lines:<?
//config.inc.php
if (defined("correct_entry_point")) {
my_pref[1] = "lots of good stuff";
}
?>so even if you know where this file is in your web tree e.g.
http://www.example.com/db_admin/config.inc.php
all you get when you put it into a web broswer is a blank page.Is this insecure? Please don't give me a flat yes.
The answer lies behind a thousand veils of shade.
phpMyAdmin consistently is in the top 10 projects on sourceforge. Is
this method insecure? (yes, they drone) Then why do the phpMyAdmin
developers go ahead with it? Because it works. Simple.
PHPNuke has a community in the hundreds of thousands. Is this method
insecure? (yes, yes, yes)
PostNuke ditto? (yes, yes, yes)
Mambo too? (yes, yes, yes)
I've forgotten because there are so many out there on hotscripts.com?
(yes, yes, yes)And finally, imagine if I used an SQLite DB to store this data... But
we've been there before.Thank you for the information regarding the encryption. I don't have
the knowledge or skills to include this into PHP 5, but I appreciate
the information - for one thing it means I'm not going crazy, other
people have had the same idea.Adam
--- Adam Q aqsalter@westnet.com.au wrote:
The database needs a password.... otherwise it is just too much of a
security risk.
Based on my observation of the conversation you've been having, I think
you might be making things too complex on yourself. This database is just
a file. So, think of having a file named database.txt, and then think
about how you would secure the data therein.
Hope that helps.
Chris