SQLite security is based primarily on filesystem security, placing the database outside the web root (i.e. /home/user/private/SQLITE.db instead of /home/www/SQLITE.db) and including an option in your base configuration or include file to point to the database file. You can use Mcrypt, OpenSSL or any other crypographic provider to encrypt the information however for your application to be able to access the information you would also have to store the encryption key, reducing the protection offered. If I were you I'd follow the first approach, in my opinion the second approach's overhead does not justify the minimal security gained. SQLite is intended for applications that need a database but don't need a full fledged solution such as PostgreSQL. Remember regardless of the database you use if you are using a shared hosting provider it is possible othere hosting clients will be able to access your database regardless of the engine you use. Jason -----Original Message----- From: Adam Q [mailto:aqsalter@xxxxxxxxxxxxxx] Sent: Monday, August 16, 2004 7:34 AM To: php-db@xxxxxxxxxxxxx Subject: SQLite security I would like to use an SQLite DB for the prefs for an open source PHP project, but I can't find any way to be sure the DB file is going to be secure... Is it possible to encrypt a SQLite DB file? With the current setup, if I include a .htaccess for the DB dir, this will only work for Apache - not IIS. I know I can include a warning about how important it is to place the files outside the HTTP directory tree and .htaccess files are good, but it is just too easy to download an SQLite DB... I can't really see any PHP use that would be OK for this really. if I put the db file "SQLITE.DB" into /www/db Anybody can d/l it by typing http://myserver.com/db/SQLITE.DB I though I might even be able to prevent d/l by naming the DB file with a "." at the start but it makes do difference. ... and if the project is open source it is just too much of a security risk as everybody knows where the file is going to be on a default installation. Otherwise I'm stuck with the standard PHP prefs file "confing.inc.php" (- which is safe from prying eyes): <? if (defined("correct_entry_point")) { my_pref[1] = "lots of good stuff"; } ?> But updating this on pref changes is no fun compared to SQLite.... <shrug> Please somebody tell me I'm wrong, Cheers, Adam -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
