I feel I may have uncovered a potentially large difficulty for the adoption of SQLite.
I think encryption for SQLite is essential for PHP. Without it, it makes it almost useless in a webscripting language.
Suppose you wanted to create an open source, easily portable, file based guestbook in PHP. I would never use SQLLite under the current circumstances... Although I would love to. It seems like the perfect solution.
The database needs a password.... otherwise it is just too much of a security risk.
I would like to use an SQLite DB for the prefs for an open source PHP project, but I can't find any way to be sure the DB file is going to be secure... Is it possible to password protect a SQLite DB file?
If not, I can't think of one (1) web based application where I would recommend SQLite.
Maybe for PHP-GTK, but that is not web based (and PHP is used a great deal for web scripting).
With the current setup, if I include a .htaccess for the DB dir, this will only work for Apache - not IIS.
I know I can include a warning about how important it is to place the files outside the HTTP directory tree and .htaccess files are good, but it is just too easy to download an SQLite DB... I can't really see any PHP use that would be OK for this really.
if I put the db file "SQLITE.DB" into /www/db
Anybody can d/l it by typing
http://myserver.com/db/SQLITE.DB
I though I might even be able to prevent d/l by naming the DB file with a "." at the start but it makes do difference.
... and if the project is open source it is just too much of a security risk as everybody knows where the file is going to be on a default installation.
Otherwise I'm stuck with the standard PHP prefs file "confing.inc.php" (- which is safe from prying eyes):
<?
if (defined("correct_entry_point")) {
my_pref[1] = "lots of good stuff";
}
?>
But updating this on pref changes is no fun compared to SQLite....
Please somebody tell me I'm wrong, Cheers, Adam
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
